ISO
27002:2005
|
Payment Card Industry
PCI DSS 3.2
|
Gramm-Leach-Bliley Act
GLBA
|
NIST
SP 800-171 r1
|
Financial Audit
|
LETU
Compliance Controls
|
| Section 4: Risk Assessment & Treatment |
|
4.1
Assessing Security Risks
Identify, quantify, and prioritize risks against criteria for risk acceptance relevant to the organization
• Performed Periodically
• Systematic Approach estimating risks
• Clearly defined scope
|
PCI is an audit standard and risks are quantified and
prioritized within it
Maintain an Information Security Policy
12.2 - Implement a risk-assessment process that:
• Is performed at least annually and upon
significant changes to the environment
(for example, acquisition, merger,
relocation, etc.),
• Identifies critical assets, threats, and
vulnerabilities, and
• Results in a formal, documented analysis
of risk
|
III.B. Assess Risk
FSA GENERAL-23-09 (b) |
N/A |
|
Internal Audit/Risk Assessment
(incl NIST Framework for Improving Critical Infrastructure Cybersecurity)
LETU evaluates internal CyberSecurity measures
against NIST Framework v1.1 as part of Information Security Internal Audit and Risk Assement (Secure Document: available internally)
Trustwave PCI Rapid Comply/Clover Security
PCI compliance scanner: cloversecurity.com
Server Vulnerability Scans
All servers scanned continuously using Tenable.io vulnerability scanning tool.
External facing IPs and servers scanned weekly by National Cybersecurity Assessment and Technical Services (NCATS)
Penetration Testing
Twice-annual penetration testing consists of both internal and external penetration tests and comprehensive reports by a qualified third party provider.
EDR
Microsoft Defender and Azure Security center continuously scan for vulnerability on University Servers and Workstations.
DLP Compliance
DLP Compliance polices (currently active on all LETU O365-enabled accounts) alert on shared content for users which could compromise compliance with PCI,
GLBA or other Privacy or Financial regulations.
This includes email for users converted to LETU's O365 email platform.
Network Compliance
LETU Network Mgmt System is configured to trigger alerts and guidance on detected issues or vulnerabilities affecting compliance with best practices or regulatory issues within LETU's network architecture. These alerts trigger configuration team reviews and modifications as needed.
Title IV: Department of Education Requirements
|
|
4.2
Treating Security Risks
Before treating, organization must ascertain
ability and level of risk acceptable to an
organization
• Knowing and objectively accepting risk
in accordance with organization risk
tolerance
• Avoiding risk by not engaging in
activities that introduce risk
• Transferring risks to other parties
|
Protect Cardholder Data
3.4 - Render PAN (Primary Account Number),
at a minimum, unreadable anywhere
it is stored (including on portable digital media,
backup media, in logs)
6 - Develop and maintain secure systems and
applications
|
III.C. Manage and Control Risk
FSA GENERAL-23-09 (c) |
N/A |
|
Security Safeguards Program: Title IV Data
EDR
Microsoft Defender and Azure Security center continuously remediate identified risks and vulnerabilities on University Servers, Workstations., and authenticaiton systems
All data at rest stored using one-way strong
encryption hashes
Cardholder Data
PAN information is not stored on LETU systems. All external vendors required to comply with PCI DSS standards.
LETU Maintains PCI Compliant status.
MFA
Mandatory multi-factor authentication for all LETU employees eliminates threat of single-factor password compromises.
|
| Section 5: Security Policy |
|
5.1
Information Security Policy
Information security policies should be
sponsored/approved by management,
published to all employees and relevant
external parties
Include within:
• Definition of information security,
objectives, scope, and importance
• Statement of management intent,
supporting goals and principles
• Framework for setting control
objectives and controls
|
Maintain an Information Security Policy
12.4 - Ensure that the security policy and procedures
clearly define information security responsibilities for
all employees and contractors
12.5.1 - Establish, document, and distribute security
policies and procedures
|
II.A. Information
Security Program
II.B. Objectives
III.A. Invoice Board
of Directors
FSA GENERAL-23-09 (e)
|
N/A |
Security
f. Information Security policy
|
LETU Policies 6.1-12
LETU Policies 6.1-12 cover Information Security, Acceptable use and other critical procedures for the security of institution and customer data.
LETU Information Security Compliance Reference
LETU Information Security Compliance Reference reviewed by Information Security office annually and employees reminded annually of LETU security policies and procedures through annual required cybersecurity training (LETU Policy 6.12).
Title IV: Department of Education Requirements
|
| Section 6: Organization of Information Security |
|
6.1
Internal Organization
A management framework should be
established to initiate and control the
implementation of information security
within the organization
|
Maintain an Information Security Policy
12.4 - Ensure that the security policy and procedures
clearly define information security responsibilities for
all employees and contractors.
12.5.1 - Establish, document, and distribute security
policies and procedures
|
II. A. Information
Security Program
II.B. Objectives
III. A. Involve the
Board of Directors
III.C. Manage and
Control Risk
III.F. Report to the
Board
|
3.1.4 Separate the duties of individuals
to reduce the risk of malevolent activity
without collusion
3.6 Incident Response
3.14 System and Information Integrity
|
|
LETU Information Security Compliance Reference
LETU Information Security Compliance Reference reviewed by Information Security office annually and employees reminded annually of LETU security policies and procedures through annual required cybersecurity training (LETU Policy 6.12).
Security Awareness Program: Cardholder Data
Title IV: Department of Education Requirements
|
|
6.2
External Parties
To maintain the security of information and
information processing facilities that are
accessed, processed, communicated to, or
managed by external parties
|
Maintain an Information Security Policy
12.8.2 - Maintain a written agreement that includes an
acknowledgement that the service providers are
responsible for the security of cardholder data the
service providers posess
|
III.C. Manage and
Control Risk
III.D. Oversee
Service Provider
Arrangements
FSA GENERAL-23-09 (f)
|
3.1.1 Limit information system access
to authorized users, processes acting
on behalf of authorized users, or
devices (including other information
systems)
3.1.2 Limit information system access to
the types of transactions and functions
that authorized users are permitted to
execute
|
|
Statements of Service Provider Compliance: PCI |
| Section 7: Asset Management |
|
7.1
Responsibility for Assets
All assets should be accounted for and have
a nominated owner
|
Maintain an Information Security Policy
12.3.4 Labeling of devices with owner, contact
information, and purpose
|
FSA GENERAL-23-09 (c(2)) |
3.1.21 Limit use of organizational portable
storage devices on external information
systems
3.4.1 Establish and maintain baseline
configurations and inventories of
organizational information systems
throughout their life cycle
3.4.2 Establish and enforce security
configuration settings for information
technology products employed in
organizational information systems
3.9 Personnel Security
|
|
Card Devices
Physical labeling and annual inspection of card devices for payment card industry cards.
Network Equip
All LETU network equipment physically tagged and inventoried for tracking purposes.
System Center Configuration Manager
Used to tattoo funding agent responsible for asset
and to inventory asset information to central database
|
|
7.2
Information Classification
Information should be classified to indicate
the need, priorities and expected degree of
protection
• Define an information classification
scheme
|
Implement Strong Access Control Measures
7.1 - Limit access to system components and cardholder
data to only those individuals whose job requires
such access.
7.2 - Establish an access control system for system
components with multiple users that restricts access
based on a user’s need to know and is set to "deny
all" unless specifically allowed.
|
PII (Personal Indentifying Information) is protected here. |
3.8 Media Protection
3.13.1 Monitor, control, and protect
organizational communications at the
external boundaries and key internal
boundaries of the information systems
|
|
Data Classification Standard
LETU Policy 6.2: Data Classification
Datacenter Security Measures
All LETU Datacenters containing protected information are secured by
proximity-based card access control systems with highly restrictive
access configurations as well as video security coverage with archival
review capabilities. Access to all LETU Datacenters is extremely limited.
More information is available in the
LETU Datacenter Security Guidelines document.
Network ACLs
Network Access Control lists (ACLs) are used to restrict access to systems based
on IP, port or other network characteristic and is used to restrict access to
locations from which access is expected to originate.
Security Groups
Security Groups are used to restrict access to specific content on a per-user
basis as authorized by the primary owner of the data or content.
|
| Section 8: Human Resources Security |
|
8.1
Prior to Employment
To ensure that employees, contractors and
third party users understand responsibilities,
and are suitable for their roles; reduce the
risk of theft, fraud, and or misuse of facilities/
resources
|
Maintain an Information Security Policy
12.7 - Screen potential employees prior to hire to
minimize the risk of attacks from internal sources.
|
III.C. Manage and
Control Risk
FSA GENERAL-23-09 (e)
|
3.9.1 Screen individuals prior to authorizing
access to information systems containing CUI
|
|
Human Resources
Background checks are performed on all new-hires
LETU Information Security Training
Initial required cybersecurity training for new employees and recurring training for existing employees required per LETU Policy 6.12: Cybersecurity Training.
|
|
8.2
During Employment
To ensure that employees, contractors and
third party users are aware of information
security threats and concerns, their
responsibilities and liabilities, and are
equipped to support security policy in the
course of their normal work
|
Maintain an Information Security Policy
12.6 - Implement a formal security awareness program
to make all employees aware of the importance of
cardholder data security.
|
III.C. Manage and
Control Risk
|
3.2 Awareness and Training
3.6 Incident Response
|
Systems Development and Change Management
c. Policies regarding system development, program change
Security
i. Procedures for issuing and suspending user access
|
New-Hire training
IT orientation with all new employees to brief them on cybersecurity best practices
LETU Information Security Training
Initial required cybersecurity training for new employees and recurring training for existing employees required per LETU Policy 6.12: Cybersecurity Training.
DLP Compliance
DLP Compliance polices (currently active on all LETU O365-enabled accounts)
alert on shared content for users which could compromise compliance with PCI,
GLBA or other Privacy or Financial regulations.
This includes email for users converted to LETU's O365 email platform.
Self-Phishing Campaigns
Quarterly self-phishing conducted with email training
sent to all employees
Annual PCI training
Yearly PCI training emailed to employees directly involved
in credit card processing
Program Change
IT Directors review training needs during annual performance reviews. Employees offered training as new software is made available
Annual Re-Authorization
Each year access rights are periodically reviewed by every supervisor and must be reauthorized to maintain those rights for the upcoming year
|
|
8.3
Termination or Change of Employment
To ensure that employees, contractors and
third party users exit an organization or
change employment in an orderly manner
|
Implement Strong Access Control Measures
9.3 - Immediately revoke access for any terminated
users
Maintain an Information Security Policy
12. Maintain a policy that addresses information
security for employees and contractors
|
N/A |
3.9.2 Ensure that CUI and information systems
containing CUI are protected during and after
personnel actions such as terminations
and transfers
|
Security
i. Procedures for suspending and closing user accounts
|
Account Automation
In-house programmatic account access control used to
disable accounts keyed off an employee's separation date
in an HR database
Separation Process
Human Resource notifications to IT trigger a specific review
of each separation, tracked using our WIT request system
for additional specific review of the security and other IT
needs related to each separation.
|
| Section 9: Physical and Environmental Security |
|
9.1
Secure Areas
To prevent unauthorized physical
access, damage, and interference to the
organization’s premises and information
• Critical or sensitive information
processing facilities should be housed
in secure areas
• Protection provided should be
commensurate with the identified risks
|
Implement Strong Access Control Measures
9. Restrict physical access to cardholder data
|
III.C. Manage and
Control Risk
|
3.10 Physical Protection
|
Security
j. Physically restrict access to key components
|
Datacenter Security Measures
All LETU Datacenters containing protected information are secured by
proximity-based card access control systems with highly restrictive
access configurations as well as video security coverage with archival
review capabilities. Access to all LETU Datacenters is extremely limited. The Data Center has its own environmental control (AC) as well as Uninterruptible Power Supply (UPS). Fire extinguishers are present in both data centers. Email alerts go out with detection of excessive heat
More information is available in the
LETU Datacenter Security Guidelines document. |
|
9.2
Equipment Security
To prevent loss, damage, theft or
compromise of assets and interruption to
the organization’s activities
|
Implement Strong Access Control Measures
9.1.3 - Restrict physical access to wireless access points,
gateways, and handheld devices
|
III.C. Manage and
Control Risk
|
3.7 Maintenance
3.8 Media Protection
3.10.6 Enforce safeguarding measures for
CUI at alternate work sites (e.g., telework sites)
|
|
Locked AP cabinets
Wireless Access Points located in locked enclosures
Unauthorized WAP detection
Detection and Identification of
Unauthorized Wireless Access Points (WAPs)
Datacloset Security Measures
All LETU Dataclosets are secured with a non-general-
master keyset and most are additionally secured by
proximity-based electronic locking systems.
Datacenter Security Measures
All LETU Datacenters containing protected information are secured by
proximity-based card access control systems with highly restrictive
access configurations as well as video security coverage with archival
review capabilities. Access to all LETU Datacenters is extremely limited.
More information is available in the
LETU Datacenter Security Guidelines document.
|
| Section 10: Communications and Operations Management |
|
10.1
Operational Procedures & Responsibilities
Responsibilities and procedures for
the management and operation of all
information processing facilities should be
established
• Segregation of duties should be
implemented
|
6.4.1 - Separate development/test and production
environments
|
III.C. Manage and
Control Risk
|
3.4.3 Track, review, approve/disapprove,
and audit changes to information systems
3.4.5 Define, document, approve, and enforce
physical and logical access restrictions associated
with changes to the information system
|
|
LETU Production/Test Architecture
LETU maintains specific testing environments separate from the production environment
as necessary for the secure evaluation of development or updated code/configs on both
LETU virtual server hosting systems and network architecture.
Access lists and secured credentials limit access to both production and testing environment resources to authorized users.
Title IV: Department of Education Requirements
|
|
10.2
Third-Party Service Delivery Management
Validate the implementation of agreements,
monitor compliance, and manage changes
to ensure that all services delivered meet
requirements set out in agreements
|
Maintain an Information Security Policy
12.8.2 Maintain a written agreement that includes
acknowledgement that the service providers are
responsible for the security of cardholder data the
service providers posses.
|
III.D. Oversee
Service Provider
Arrangements
|
N/A |
|
Statements of Service Provider Compliance: PCI |
|
10.3
System Planning and Acceptance
To minimize the risk of systems failures
• Advanced planning and preparation
are required to ensure availability and
adequate capacity of resources
• Operational requirements of new
systems should be established,
documented, and tested
|
Maintain a Vulnerability Management Program
6. Develop and maintain secure systems and
applications
Regularly Monitor and Test Networks
11. Regularly test security systems and processes
|
III.C. Manage and
Control Risk
|
N/A |
|
Server Vulnerability Scans
All servers scanned continuously using Tenable.io vulnerability scanning tool.
External facing IPs and servers scanned weekly by National Cybersecurity Assessment and Technical Services (NCATS)
Penetration Testing
Twice-annual penetration testing consists of both internal and external penetration tests and comprehensive reports by a qualified third party provider.
Trustwave PCI Rapid Comply
PCI compliance scanner: pcirapidcomply2.com
used monthly.
DLP Compliance
DLP Compliance polices (currently active on all LETU O365-enabled accounts)
alert on shared content for users which could compromise compliance with PCI,
GLBA or other Privacy or Financial regulations.
This includes email for users converted to LETU's O365 email platform.
Network Compliance
LETU Network Mgmt System is configured to trigger alerts and guidance
on detected issues or vulnerabilities affecting compliance with best practices
or regulatory issues within LETU's network architecture.
These alerts trigger configuration team reviews and modifications as needed.
Data Loss Prevention Guidelines
|
|
10.4
Protection Against Malicious & Mobile Code
Precautions are required to prevent and
detect the introduction of malicious code
and unauthorized mobile code |
Maintain a Vulnerability Management Program
5. Use and regularly update anti-virus software
6. Develop and maintain secure systems and
applications
|
III.C. Manage and
Control Risk
|
3.2 Awareness and Training
3.14.2 Provide protection from malicious code at appropriate
locations within organizational information systems
3.14.3 Monitor information system security alerts and
advisories and take appropriate actions in response
3.14.4 Update malicious code protection mechanisms
when new releases are available
3.14.5 Perform periodic scans of the information system
and real-time scans of files from external sources as files
are downloaded, opened, or executed
|
|
Windows Defender / Azure Security Center EDR
Protects in realtime against malicious code for managed endpoints
|
|
10.5
Back-up
To maintain the integrity and availability
of information and information processing
facilities
|
Implement Strong Access Control Measures
9. Restrict physical access to cardholder data
Regularly Monitor and Test Networks
10. Track and monitor all access to network resources
and cardholder data
Maintain an Information Security Policy
12. Maintain a policy that addresses information
security for employees and contractors
|
III.C. Manage and
Control Risk
|
3.8.9 Protect the confidentiality of
backup CUI at storage locations
|
Operations
h. Recorded data remains complete and accurate
|
Veeam
Disaster recovery for all managed virtual servers
Backup Exec
Disaster recovery for additional agent-managed servers
\\letnet.net\fs\backup Backups
Disaster recovery for non-agent, *nix-based and other systems
Off-site
Regularly rotated Off-site vault storage of backup media
|
|
10.6
Network Security Management
To ensure the protection of information
in networks and the protection of the
supporting infrastructure
|
Build and Maintain a Secure Network
1. Install and maintain a firewall
2. Do not use vendor-supplied defaults for system
passwords and other security parameters
Maintain a Vulnerability Management Program
5. Use and regularly update anti-virus software
6. Develop and maintain secure systems and
applications
|
III.C. Manage and
Control Risk
|
3.1.2 Monitor and control remote
access sessions
3.1.13 Employ cryptographic mechanisms
to protect the confidentiality of remote
access sessions
3.1.14 Route remote access via
managed access control points
3.1.16 Authorize wireless access prior
to allowing such connections
3.1.17 Protect wireless access using
authentication and encryption
3.7.5 Require multifactor authentication to
establish nonlocal maintenance sessions via
external network connections and terminate
such connections when nonlocal maintenance
is complete
3.13 System and Communications Protection
|
Security
h. Network security restricts access to financial systems
|
Gateway Security
LETU networks are secured with access control lists (ACLs) ACLs that greatly restrict access to all LETU
MFA
Mandatory multi-factor authentication for all LETU employees eliminates threat of single-factor password compromises.
System Center Configuration Manager
Inventory and manage technology assets throughout lifecycle to ensure security
Windows Intune
Inventory and technology asset management
Windows Defender / Azure Security Center (EDR)
Protects against malicious code for managed endpoints
|
|
10.7
Media Handling
To prevent unauthorized disclosure,
modification, removal or destruction of
assets, and interruption to business activities
• Media should be controlled and
physically protected
• Appropriate operating procedures
should be established to protect,
documents, and computer media
|
Protect Cardholder Data
3. Protect stored data
4. Encrypt transmissions of cardholder data and
sensitive information across public networks
Implement Strong Access Control Measures
7. Restrict access to data by business need-to-know
9. Restrict physical access to cardholder data
Regularly Monitor and Test Networks
11. Regularly test security systems and processes
Maintain an Information Security Policy
12. Maintain a policy that addresses information
security for employees and contractors
|
III.C. Manage and
Control Risk
|
N/A |
|
Protect Stored Cardholder Data
Encrypt transmission of cardholder data
across open, public networks
Mobile Device Encryption
All mobile devices have encrypted hard drives per
LETU policy "Mobile Device Encryption."
|
|
10.8
Exchange of Information
To maintain the security of information and
software exchanged within an organization
and with any external entity
|
Build and Maintain a Secure Network
1. Install and maintain a firewall
Protect Cardholder Data:
4. Encrypt transmissions of cardholder data and
sensitive information across public networks
Implement Strong Access Control Measures
7. Restrict access to data by business need-to-know
Implement Strong Access Control Measures
8. Assign a unique ID to each person with computer
access
Maintain an Information Security Policy
12. Maintain a policy that addresses information
security for employees and contractors
|
III.C. Manage and
Control Risk
|
3.1.15 Authorize remote execution of
privileged commands and remote access
to security-relevant information
3.1.16 Authorize wireless access prior
to allowing such connections
3.1.17 Protect wireless access using
authentication and encryption
3.13 System and Communications Protection
|
|
Unique IDs
Each user has a unique SIS ID and username
Role-Based Access
Each employee given access and appropriate permissions
only to systems to which they need those specific rights
Customer request system allows supervisors to request permissions their employees need.
Data Loss Prevention (DLP)
|
|
10.9
Electronic Commerce Services
To ensure the security of electronic
commerce services, and their secure use
|
Build and Maintain a Secure Network
1. Install and maintain a firewall configuration to
protect data
2. Do not use vendor-supplied defaults for system
passwords and other security parameters
Protect Cardholder Data
4. Encrypt transmissions of cardholder data and
sensitive information across public networks
Maintain a Vulnerability Management Program
6. Develop and maintain secure systems and
applications
|
III.C. Manage and
Control Risk
|
N/A |
Operations
l. Ensure third-party services are secure
|
Trustwave PCI Rapid Comply
PCI compliance scanner: pcirapidcomply2.com
used monthly.
Qualys SSL Labs
Server security scanner: https://www.ssllabs.com/ssltest
used annually
Encrypt transmission of cardholder data across open, public networks
Vendor Guidelines
Established guidelines in place when selecting on-premise or cloud-hosted vendor applications. Contracts for these vendors are reviewed by CIO and CFO with questions specific to risks, security controls, and other guideline-based information. This policy is contained in the Acceptable Use for Technology Systems.
Acceptable Use for Technology Systems (LETU Policy 6.1)
Data Loss Prevention (DLP)
|
|
10.10
Monitoring
To detect unauthorized information
processing activities including review of
operator logs and fault logging
• Systems should be monitored and
information security events should be
recorded
• Organization should comply with all
relevant legal requirements applicable
to monitoring and logging
• System monitoring should be used
to check the effectiveness of controls
adopted and to verify conformity to
access policies
|
Implement Strong Access Control Measures
8.1.1 Assign a unique ID to each person with computer
access
Regularly Monitor and Test Networks
10. Track and monitor all access to network resources
and cardholder data
|
III.C. Manage and
Control Risk
|
3.3 Audit and Accountability |
Operations
n. Procedures for job scheduling, processing, error monitoring, system availability
|
Unique IDs
Each user has a unique SIS ID and username
Role-Based Access
Each employee given access and appropriate permissions
only to systems to which they need those specific rights
Customer request system allows supervisors to request permissions their employees need.
Technical Monitoring
Many systems in place including central log aggregation, monitoring solutions, and custom scripts. Email/text alerts generated upon threshold for any monitor
|
| Section 11: Access Control |
|
11.1
Business Requirement for Access Control
Access to information, information
processing facilities, and business processes
should be controlled based upon business
and security requirements.
• Access controls should take account
policies for information dissemination
and authorization
|
Implement Strong Access Control Measures
8.1.1 Assign a unique ID to each person with computer
access
Maintain an Information Security Policy
12. Maintain a policy that addresses information
security for employees and contractors
|
III.C. Manage and
Control Risk
|
3.1 Access Control |
|
Unique IDs
Each user has a unique SIS ID and username
Data Classification Standard
LETU Policy 6.2: Data Classification
|
|
11.2
User Access Management
Formal procedures to control the allocation
of access rights to information systems and
services
|
Implement Strong Access Control Measures
7. Restrict access to data by business need-to-know
8.1.1 Assign a unique ID to each person with computer
access
|
III.C. Manage and
Control Risk
|
3.1 Access Control
3.4.5 Define, document, approve, and enforce
physical and logical access restrictions associated
with changes to the information system
3.5 Identification and Authentication
|
Entity-Level Controls
b. Segregation of responsibilities to prevent subversion of critical processes
|
Unique IDs
Each user has a unique SIS ID and username
Role-Based Access
Each employee given access and appropriate permissions
only to systems to which they need those specific rights
Customer request system allows supervisors to request permissions their employees need.
Segregation of Responsibilities
Personnel are prohibited from engaging in user activities, initiating transactions, or changing master files. IT personnel prevented from having access to liquid assets such as check signing approval or credit approval.
eBridge Access
|
|
11.3
User Responsibilities
To prevent unauthorized user access, and
compromise or theft of information and
information processing capabilities
|
Build and Maintain a Secure Network
2. Do not use vendor-supplied defaults for system
passwords
Implement Strong Access Control Measures
8.1.1 Assign a unique ID to each person with computer
access
Maintain an Information Security Policy
12. Maintain a policy that addresses information
security for employees and contractors
|
III.C. Manage and
Control Risk
|
N/A |
|
Non-Default Credentials
Passwords for built-in accounts never left at default
Data Classification Standard
LETU Policy 6.2: Data Classification
LetNet Guest Wireless Account Creation
Guest account policies direct use of specific individual account information for each guest.
|
|
11.4
Network Access Control
Ensure that appropriate interfaces and
authentication mechanisms to networked
services are in place
|
Build and Maintain a Secure Network
2. Do not use vendor-supplied defaults for system
passwords
Implement Strong Access Control Measures
8.1.1 Assign a unique ID to each person with computer
access
|
IlI.C. Manage and
Control Risk
|
3.1.9 Provide privacy and security notices
consistent with applicable CUI rules
3.1.16 Authorize wireless access prior
to allowing such connections
3.1.20 Verify and control/limit connections to
and use of external information systems
|
|
Non-Default Credentials
Passwords for built-in accounts never left at default
Data Classification Standard
LETU Policy 6.2: Data Classification
LetNet Guest Wireless Account Creation
Guest account policies direct use of specific individual account information for each guest.
|
|
11.5
Operating System Access Control
To prevent unauthorized access to operating
systems
Some methods include: ensure quality
passwords, user authentication, and
the recording of successful and failed
system accesses, providing appropriate
authentication control means
|
Build and Maintain a Secure Network
2. Do not use vendor-supplied defaults for system
passwords
Implement Strong Access Control Measures
8.1.1 Assign a unique ID to each person with computer
access
Monitor and Test Networks
10. Track and monitor all access to network resources
and cardholder data
|
III.C. Manage and
Control Risk
|
3.1.8 Limit unsuccessful logon attempts
3.4.5 Define, document, approve, and enforce
physical and logical access restrictions associated
with changes to the information system
|
Security
g. Financial operating systems appropriately secured
|
Non-Default Credentials
Passwords for built-in accounts never left at default
Data Classification Standard
LETU Policy 6.2: Data Classification
LETNET Domain Password Requirements
Non-reversible password hash encryption
Account lockout procedures in place in addition to requirements above
Audits for all successful and failed logon events
|
11.6
Application and Information Access Control
• To prevent unauthorized access
to information held in application
systems
• Security facilities should be used to
restrict access to an within application
systems
• Logical access to application software
and information system functions
|
Build and Maintain a Secure Network
1. Do not use vendor-supplied defaults for system
passwords
Maintain a Vulnerability Management System
6. Develop and maintain secure systems and
applications
Implement Strong Access Control Measures
8.1.1 Assign a unique ID to each person with computer
access
|
III.C. Manage and
Control Risk
|
3.1.21 Limit use of organizational portable
storage devices on external information
systems
3.4.5 Define, document, approve, and enforce
physical and logical access restrictions associated
with changes to the information system
3.5 Identification and Authentication
|
|
Unique IDs
Each user has a unique SIS ID and username
Role-Based Access
Each employee given access and appropriate permissions
only to systems to which they need those specific rights
|
|
11.7
Mobile Computing and Teleworking
To ensure information security when using
mobile computing and teleworking facilities
|
Build and Maintain a Secure Network
1. Install and maintain a firewall configuration to
protect data
Build and Maintain a Secure Network
2. Do not use vendor-supplied defaults for system
passwords and other security parameters
Implement Strong Access Control Measures
8. Assign a unique ID to each person with computer
access
|
III.C. Manage and
Control Risk
|
3.1.12 Monitor and control remote
access sessions
3.1.13 Employ cryptographic mechanisms
to protect the confidentiality of remote
access sessions
3.1.14 Route remote access via
managed access control points
3.1.15 Authorize remote execution of
privileged commands and remote access
to security-relevant information
3.1.18 Control connection of mobile devices
3.1.19 Encrypt CUI on mobile devices
3.10.6 Enforce safeguarding measures for
CUI at alternate work sites (e.g., telework sites)
|
|
Unique IDs
Each user has a unique SIS ID and username
Role-Based Access
Each employee given access and appropriate permissions
only to systems to which they need those specific rights
Firewall
OS-level firewalls enabled on each client along with hardware firewalls
at edge of LETU network
Mobile Device Encryption
All mobile PCs required to have full-disk encryption:
LETU Policy "Mobile Device Encryption"
|
| Section 12: Information Systems Acquisition, Development and Maintenance |
|
12.1
Ensure that security is an integral
part of information systems
Security should be built into operating
systems, infrastructure, business
applications, off the shelf products, and user-
developed applications
|
Maintain a Vulnerability Management Program
6. Develop and maintain secure systems and
applications
|
N/A |
3.1.20 Verify and control/limit connections to
and use of external information systems
3.13 System and Communications Protection
|
|
Server Vulnerability Scans
All servers scanned continuously using Tenable.io vulnerability scanning tool.
External facing IPs and servers scanned weekly by National Cybersecurity Assessment and Technical Services (NCATS)
Penetration Testing
Twice-annual penetration testing consists of both internal and external penetration tests and comprehensive reports by a qualified third party provider.
Trustwave PCI Rapid Comply
PCI compliance scanner: pcirapidcomply2.com
used monthly.
DLP Compliance
DLP Compliance polices (currently active on all LETU O365-enabled accounts)
alert on shared content for users which could compromise compliance with PCI,
GLBA or other Privacy or Financial regulations.
This includes email for users converted to LETU's O365 email platform.
Network Compliance
LETU Network Mgmt System is configured to trigger alerts and guidance
on detected issues or vulnerabilities affecting compliance with best practices
or regulatory issues within LETU's network architecture.
These alerts trigger configuration team reviews and modifications as needed.
|
|
12.2
Correct Processing in Applications
To prevent errors, loss, unauthorized
modification or misuse of information in
applications
|
Maintain a Vulnerability Management Program
6. Develop and maintain secure systems and
applications
|
III.C. Manage and
Control Risk
|
N/A |
|
Server Vulnerability Scans
All servers scanned continuously using Tenable.io vulnerability scanning tool.
External facing IPs and servers scanned weekly by National Cybersecurity Assessment and Technical Services (NCATS)
Penetration Testing
Twice-annual penetration testing consists of both internal and external penetration tests and comprehensive reports by a qualified third party provider.
Trustwave PCI Rapid Comply
PCI compliance scanner: pcirapidcomply2.com
used monthly.
DLP Compliance
DLP Compliance polices (currently active on all LETU O365-enabled accounts)
alert on shared content for users which could compromise compliance with PCI,
GLBA or other Privacy or Financial regulations.
This includes email for users converted to LETU's O365 email platform.
Network Compliance
LETU Network Mgmt System is configured to trigger alerts and guidance
on detected issues or vulnerabilities affecting compliance with best practices
or regulatory issues within LETU's network architecture.
These alerts trigger configuration team reviews and modifications as needed.
|
12.3
Cryptographic Controls
• To protect the confidentiality,
authenticity or integrity of information
by cryptographic means
• Policy should be developed on the use
of cryptographic controls
• Key management should be in place to
support cryptographic techniques
|
Protect Cardholder Data
3. Protect stored data
4. Encrypt transmission of cardholder data and
sensitive information across public networks
|
III.C. Manage and
Control Risk
|
3.1.13 Employ cryptographic mechanisms
to protect the confidentiality of remote
access sessions
3.1.17 Protect wireless access using
authentication and encryption
3.13.8 Implement cryptographic mechanisms
to prevent unauthorized disclosure of CUI
during transmission
3.13.10 Establish and manage cryptographic
keys for cryptography employed in the
information system
3.13.11 Employ FIPS-validated cryptography when
used to protect the confidentiality of CUI
|
|
Remote Services for Remote offices and Employees protected by mandatory Encryption
All data at rest on mobile or physically insecure devices stored using one-way strong encryption hashes
Kerberos Policy
Kerberos tickets are enforced for domain clients through Group Policy which ensures: 600 minute service ticket lifetime; 10 hour user ticket lifetime; 5 minute tolerance for computer clock synchronization
Certificate Authority
On-campus domain certification authority handles automatic certificate management on domain-joined clients
|
|
12.4
Security of System Files
To ensure security of system files through
the control of access to system files and
program source code
|
Build and Maintain a Secure Network
2. Do not use vendor-supplied defaults for system
passwords and other security parameters
|
III.C. Manage and
Control Risk
|
N/A |
|
Non-Default Credentials
Passwords for built-in accounts never left at default |
12.5
Security in Development and Support
Processes
Project and support environments should be
strictly controlled
|
Maintain a Vulnerability Management Program
6. Develop and maintain secure systems and
applications
|
N/A |
3.1.14 Route remote access via
managed access control points
3.4.3 Track, review, approve/disapprove,
and audit changes to information systems
3.4.4 Analyze the security impact of changes
prior to implementation
3.12 Security Assessment
|
Systems Development and Change Management
d. Acquiring, implementing, integrating, and maintaining IS applications
e. Acquiring, implementing, integrating, and maintaining infrastructure
|
Role-Based Access
Each employee given access and appropriate permissions
only to systems to which they need those specific rights
Change Management
IT Business Systems team receives notifications of patches and hotfixes, and reviews related release notes. This team then requests approval from change management team for a time to perform updates. Full databases and system backups are done nightly. Tape rotation method is used to allow complete recovery. Complete backups are performed prior to any new or updated application being deployed.
|
|
12.6
Technical Vulnerability Management
To reduce risks resulting from exploitation
of published technical vulnerabilities
• Technical vulnerability management
should be effective, systematic, and
repeatable
|
Maintain a Vulnerability Management
Program
5. Use and regularly update antivirus software
6. Develop and maintain secure systems and
applications
|
III.C. Manage and
Control Risk
|
3.11 Risk Assessment |
|
Windows Defender / Azure Security Center (EDR)
Protects against malicious code for managed endpoints
Server Vulnerability Scans
All servers scanned continuously using Tenable.io vulnerability scanning tool.
External facing IPs and servers scanned weekly by National Cybersecurity Assessment and Technical Services (NCATS)
Penetration Testing
Twice-annual penetration testing consists of both internal and external penetration tests and comprehensive reports by a qualified third party provider.
RSS/Web Lists
RSS, mailing lists, and forums are used to keep apprised of newly published
vulnerabilities. Manual patches are tracked through collaborative
spreadsheets until stakeholders have verified each affected endpoint has
been patched
Trustwave PCI Rapid Comply
PCI compliance scanner: pcirapidcomply2.com
used annually
Qualys SSL Labs
Server security scanner: https://www.ssllabs.com/ssltest
|
| Section 13: Information Security Incident Management |
|
13.1
Information Security Incident Management
To ensure information security events and
weaknesses associated with information
systems are communicated in a manner
allowing timely corrective action to be taken
• Formal event reporting and escalation
procedures should be in place
|
Maintain a Vulnerability Management Program
6. Develop and maintain secure systems and
applications
Regularly Monitor and Test Networks
11. Regularly test security systems and processes
Maintain an Information Security Policy:
12. Maintain a policy that addresses information
security for employees and contractors
|
III.C. Manage and
Control Risk
FSA GENERAL-23-09 (h)
|
3.1.1 Limit information system access
to authorized users, processes acting
on behalf of authorized users, or
devices (including other information
systems)
3.1.2 Limit information system access to
the types of transactions and functions
that authorized users are permitted to
execute
3.1.3 Control the flow of CUI in
accordance with approved authorizations
|
Operations
m. Process for identifying and resolving incidents
|
LETU Information Technology Continuity Plan (Secure Document: available internally)
Data Classification Standard
LETU Policy 6.2: Data Classification
Communication Policy
Defines response expectations for various incidents:
Communication Policy
Incident Log
Security Incident Reports
Department of Ed Notification
Special notification requirement for Title IV data breach. |
|
13.2
Management of Information Security
Incidents and Improvements
• To ensure a consistent and
effective approach is applied to the
management of information security
incidents
|
Maintain an Information Security Policy
12. Maintain a policy that addresses information
security for employees and contractors
|
III.C. Manage and
Control Risk
FSA GENERAL-23-09 (g)
|
3.1.1 Limit information system access
to authorized users, processes acting
on behalf of authorized users, or
devices (including other information
systems)
3.1.2 Limit information system access to
the types of transactions and functions
that authorized users are permitted to
execute
3.1.3 Control the flow of CUI in
accordance with approved authorizations
3.3 Audit and Accountability
3.6 Incident Response
|
Security
f. Information Security policy
|
LETU Information Technology Continuity Plan (Secure Document: available internally)
Communication Policy
Defines response expectations for various incidents:
Communication Policy
Data Classification Standard
LETU Policy 6.2: Data Classification
|
| Section 14: Business Continuity Management |
|
14.1
Information Security Aspects
of Business Continuity Management
To counteract interruptions to business
activities and to protect critical business
processes from the effects of major failures
or disasters and to ensure their timely
resumption
|
Maintain an Information Security Policy
12. Maintain a policy that addresses information
security for employees and contractors
|
III.C. Manage and
Control Risk
FSA GENERAL-23-09 (g,h)
|
3.1.1 Limit information system access
to authorized users, processes acting
on behalf of authorized users, or
devices (including other information
systems)
3.1.2 Limit information system access to
the types of transactions and functions
that authorized users are permitted to
execute
3.1.3 Control the flow of CUI in
accordance with approved authorizations
3.8.9 Protect the confidentiality of
backup CUI at storage locations
|
Entity-Level Controls
a. Plans that align business objectives with IT strategies
|
LETU Information Technology Continuity Plan (Secure Document: available internally)
Data Classification Standard
LETU Policy 6.2: Data Classification
Business Objective Alignment
IT-related risks communicated through IT personnel and brought to the attention of CIO. Action plans with due dates are implemented for recovery. Users required to sign confidentiality agreements before any access to administrative software is granted.
|
| Section 15: Compliance |
|
15.1
Compliance with Legal Requirements
To avoid breaches of any law, statutory,
regulatory or contractual obligations, and
of any security requirements
|
Maintain an Information Security Policy
12. Maintain a policy that addresses information
security for employees and contractors
|
III.C. Manage and
Control Risk
III.F. Report to the
Board
FSA GENERAL-23-09 (i)
|
3.3.8 Protect audit information and audit tools
from unauthorized access, modification, and
deletion
3.3.9 Limit management of audit functionality
to a subset of privileged users
3.8.9 Protect the confidentiality of
backup CUI at storage locations
|
|
Data Classification Standard
LETU Policy 6.2: Data Classification
Department of Ed Notification
Title IV: Department of Education Requirements |
|
15.2
Compliance with Security Policies and
Standards, and Technical Compliance
To ensure compliance of systems with
organizational security policies and
standards
|
Regularly Monitor and Test Networks
10. Track and monitor all access to network
resources and cardholder data
11. Regularly test security systems and processes
Maintain an Information Security Policy
12. Maintain a policy that addresses information
security for employees and contractors
|
III.C. Manage and
Control Risk
III.E. Adjust the
Program
III.F. Report to the
Board
|
N/A |
|
Data Classification Standard
LETU Policy 6.2: Data Classification
Trustwave PCI Rapid Comply
PCI compliance scanner: pcirapidcomply2.com
used monthly.
Qualys SSL Labs
Server security scanner: https://www.ssllabs.com/ssltest
used annually
Protect Stored Cardholder Data
Encrypt transmission of cardholder data
across open, public networks
|