Effective Date: December 2007, Updated December 2021

Contents

1. Purpose
2. Overview and Scope
3. Exception from Minimum Security Standards
   1. Exception Requests Covering Legacy Systems
   2. Compatibility Exemptions
4. Enforcement
5. Minimum Security Standards
   1. System Inventory and Protection Level Classification (PLC)
   2. Transmission of Restricted Information
   3. Email
   4. Physical Security
   5. System Management Agent
   6. Network Access Control (NAC)
   7. Anti-Virus
   8. Host-Based Firewall
   9. Security Endpoint Detection and Response Agent (EDR)
   10. Device Encryption
   11. Authentication
   12. Passwords
   13. Software Patch Updates
   14. Application and Website Security
   15. Enterprise Vulnerability Management

Purpose

UCSF Policy 650-16, Addendum B, defines a requirement for Minimum Security Standards for IT Resources. This document is a living document that defines the UCSF Minimum Security Standards that all campus IT Resources must comply with.

Overview and Scope

These standards apply to all units within UCSF, including UCSF Health.

Non-UCSF devices, including personal computing devices, are expected to meet these standards when used to connect to the UCSF network. For example, a personal computer that accesses the UCSF network through a VPN connection would be expected to meet these standards. Additionally, non-UCSF devices are expected to meet these standards when used to conduct UCSF business, including storing or processing UCSF information.

The minimum standards in this document are reviewed, updated for applicability, and approved by the Committee on IT Security at least once a year or more often as determined by the UCSF Chief Information Security Officer.

Exception from Minimum Security Standards

Individuals who believe that their devices or applications are unable to meet UCSF’s Minimum Security Standards must apply for a yearly exception by completing and digitally signing the online form linked below. Upon receiving the completed form with signatures from the individual's department leadership, IT Security will contact you for a consultation. After this consultation the University's Chief Information Security Officer (CISO) will respond to your request.

Instruction for filling out Security Exception Request Form 

Exception Requests Covering Legacy Systems

If granted, exception requests for an operating system that is no longer supported by the vendor will be for 12 months from the date of approval. All exception requests, including renewals of previous exception requests, must document the controls implemented to mitigate the risk to the system and to UCSF. Failure to renew an exception may result in disconnection from UCSF's network.

For systems which access to or which store ePHI, departments are advised that this exception documentation and controls should be considered carefully to remain compliant with HIPAA section § 164.308(a)(1)(ii)(B), which requires UCSF to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level. Controls are countermeasures to help avoid or minimize security risks. These controls are generally implemented as technologies not directly associated with the system seeking exception from UCSF's Minimum Security Standards.

Compatibility Exemptions

Systems incompatible with or unsupported by the UCSF-specific tools will be exempted from that requirement(s) of the Minimum Security Standards. Any Compatibility Exemption will be listed by security application and OS in the Security 2.0 FAQs.

For vendor-supported systems and/or appliances residing on the UCSF network where UCSF staff do not have administrative access, the vendor maintaining this system is responsible for adherence to standards. When P3/P4 data is involved in these circumstances, a Business Associates Agreement and/or Appendix DS may be required.

Enforcement

Computing devices found to be non-compliant to these standards and without an exception on file are subject to being disconnected from the UCSF network and prohibited from connecting to UCSF resources.

Minimum Security Standards

System Inventory and Protection Level Classifications

Systems must be inventoried as a configuration item in the enterprise configuration management database (CMDB); this includes but is not limited to: physical servers, virtual servers, systems, endpoints, networking devices, printers, load balancers, and Virtual IPs (VIP) . This applies to all devices used for UCSF business. Any changes to the system throughout its lifecycle must be recorded in the enterprise CMDB.

Devices meeting the System Management Agent standard are automatically inventoried. Devices that are incompatible or not supported by the System Management standards can be inventoried and/or their registration updated using the ServiceNow CMDB.

Additionally, systems must have their protection level classification set in the enterprise CMDB. UCSF protection level classifications are defined here.

Transmission of Restricted Information

Restricted and Sensitive Information (P4 and P3 data) that is transmitted over non-UCSF networks must be encrypted. Restricted and Sensitive Information includes, but is not limited to, ePHI and personally identifiable information such as Social Security numbers.

Transmit P4 and P3 data only when necessary.

Email

All email that contains electronic Protected Health Information (ePHI) or other Restricted Information must be encrypted if it is addressed outside the UCSF network environment. An existing service is available to accommodate encrypted email at the Secure Email Procedure Page. 

Non-UCSF or 3rd party email services are not approved for use by faculty, staff, or students for conducting UCSF business.

Physical Security

Unauthorized physical access to an unattended device (including mobile devices) can result in harmful or fraudulent modification of data, fraudulent email use, or any number of other potentially dangerous situations. Whenever possible and appropriate, devices must be configured to "lock" and require a user to re-authenticate if left unattended for more than 20 minutes.

Computing devices that are left unattended must be located in locked areas or otherwise physically secured (e.g., with a cable lock).

System Management Agent

In order to inventory computers and enable basic security compliance, users must install system management software provided by IT. This applies to both UCSF-owned and non-UCSF-owned endpoints.

The system management software uses BigFix and is available through the UCSF IT Software Download Page.

Network Access Control (NAC)

In order to identify computers connected to the UCSF network, assess endpoint security compliance, and prevent unauthorized computers from connecting to the UCSF network, users must install network access control software provided by IT. This applies to both UCSF-owned and non-UCSF-owned endpoints.

The network access control software, SecureConnector, is available through the UCSF IT Software Download Page. More information is available at the NAC Overview.

Anti-Virus Software

Anti-virus software must be active with current anti-virus signatures on computing devices connected to the network including laptop computers, desktop computers, and servers, except where there are significant compensating controls that would prevent virus infiltration.

IT currently has a contract with Symantec by Broadcom to provide anti-virus software as part of the Symantec Endpoint Protection (SEP) solution bundled with host-based firewall and IPS, available on the UCSF IT Software Download Page.

Host-Based Firewall Software

Firewalls that run on desktops, laptops, and servers are often referred to as host-based and/or personal firewalls. Host-based firewall software (if available for the platform) must be running and configured on networked computing devices, including laptop computers, desktop computers, and servers. While the use of departmental network firewalls is encouraged, they do not necessarily obviate the need for host-based firewalls.

IT currently has a contract with Symantec by Broadcom to provide host-based firewall software as part of the Symantec Endpoint Protection (SEP) solution bundled with anti-virus and host-based IPS, available on the UCSF IT Software Download Page.

Security Endpoint Detection and Response Agent (EDR)

In order to provide advanced protection monitoring and response capabilities, users must install the security endpoint detection and response agent provided by IT. This applies to both UCSF-owned and non-UCSF-owned endpoints.

The IT supported/integrated endpoint detection and response (EDR) agent is delivered through the system management software (BigFix). More information about the EDR agent is available at the EDR Service Page.

Device Encryption

Given the prevalence of restricted data in the UCSF environment, all endpoints (desktops, laptops, and mobile devices including smartphones and tablets) used for UCSF business must be encrypted. This applies to both UCSF-owned and non-UCSF-owned endpoints.

Encryption keys must be securely escrowed to allow emergency access when approved by the CISO. Units or Individuals within UCSF who cannot use an IT-prescribed method of key escrow due to technical or business requirements must submit their key as prescribed by the Proof of Encryption Service Page.

Servers that store or process restricted information must be encrypted or have compensating security controls, such as those found in UCSF data centers.

IT provides encryption software for laptops and desktops at the How to Encrypt Your Computer Page.

Mobile devices must be connected to the UCSF Exchange/O365 email server with either Intune mobile device management (using Microsoft Intune Company Portal) or Intune mobile application management (MAM using Microsoft Authenticator) , which enforces the required security settings. More information regarding connecting your mobile device can be found at the Mobile Device Email Page.  

Those who believe they need an exception to this device encryption standard due to a hardware or software incompatibility must submit a computer encryption waiver at the Request a Device Encryption Waiver Page.

Authentication

All forms of authentication must use adequate encryption to protect against unauthorized access to login credentials, such as user accounts and passwords. Use of unencrypted authentication is prohibited. UCSF also requires MFA for administrative access to servers. Multi-Factor Authentication (MFA) is required in circumstances dictated by the UC Account and Authentication Management Standard.

Passwords

Campus electronic communication systems or services must identify users and authorize access by means of passwords or other secure authentication processes. Shared-access systems must enforce the Unified UCSF Enterprise Password Standard whenever possible. Shared-access systems must, whenever possible and appropriate, require that users change any pre-assigned passwords immediately upon initial access to the account.

All default passwords for access to network-accessible devices must be modified. Passwords used by system administrators for their personal access to a service or device must not be the same as those used for privileged access to any service or device.

Privileged administrator accounts with access to sensitive Windows systems should use passphrases that are 15 or more characters.

Software Patch Updates

Networked computing devices must be kept updated with the most recent applicable security patches. Departments should document and implement a process to apply security patches in a timely fashion. Exceptions may be made for patches that compromise the usability of critical applications; these exceptions should be documented.

Application and Website Security

Application and website owners are responsible to ensure that applications and sites are secure, and must conduct periodic vulnerability assessments of these applications and sites. More information regarding secure coding best practices and vulnerability scanning services can be found at the Application and Website Security Page.

Enterprise Vulnerability Management

Systems connected to the UCSF network are scanned for vulnerabilities by IT Security regularly. System owners must not block or otherwise impede UCSF enterprise vulnerability scanning tools from accessing their systems.  

Authenticated vulnerability scans are required for all Internet-accessible systems, all servers in UCSF Enterprise IT data centers, and internal servers that are classified as PLC P3 or P4.   

System owners must mitigate vulnerabilities within the timelines below. Timelines are based on exposure, vulnerability criticality, and protection level classification. The remediation timeline begins with the announcement or discovery of a vulnerability.  

IT security may elevate the severity of certain serious vulnerabilities based on threat intelligence and real-world exploitation activity. These situations will be uncommon, and IT Security will communicate the severity escalation. See the following link for more information about Urgent and Emergency Vulnerability Remediation.

Definitions 

Internet-accessible - systems and applications that are accessible from outside the UCSF network. This includes directly exposed systems, systems behind an internet-accessible load balancer or proxy, or servers residing in an internet accessible network zone 

Severity – classification based on the industry standard Common Vulnerability Scoring System (CVSS) score 

Remediation – activities that mitigate the impact of vulnerability exploitation. Remediation methods may include (but are not limited to): 

• Patching/Updating (most common method) 

• Limiting or removing network access 

• User input sanitization 

• Other documented vendor mitigation 

• Short-term deferral (approval required) 

Internet-Accessible Vulnerability Mitigation Timeline (calendar days) 

• Critical severity – 7 days 

• High severity – 14 days  

• Medium severity – 30 days 

Internal-Only Vulnerability Mitigation Timeline (calendar days) 

• Critical severity – 30 days 

• High severity – 30 days  

• Medium severity – 45 days