Status: Draft
Last Revision Date: September 21, 2023
Statement of Purpose
Computing devices are susceptible to vulnerabilities in their operating systems, hardware, and configurations. Manufacturers release recommended configurations, patches, and upgrades to mitigate security risks. This policy ensures that Clackamas Community College ITS support staff remain informed of these requirements and maintain all computing devices with the latest versions, patches, configurations, and industry best practices.
Policy Summary
All servers, network devices, and other computing resources within Clackamas Community College networks—whether managed internally or by third parties—must be built and deployed following documented System Configuration Standards. This policy is subject to and superseded by applicable laws and regulations.
Policy
General Compliance
-
All computing systems, including virtual servers or appliances, must be assigned a single primary purpose where feasible (e.g., web servers, database servers, and DNS servers should be deployed separately).
-
Operating system configurations must be reviewed to ensure services are minimized and security is maintained.
-
All systems must conform to Clackamas Community College’s Information Security configuration standards before deployment in a production environment.
-
Clackamas Community College must conduct internal and external network vulnerability scans at least quarterly and after significant network or security changes.
-
External penetration tests must be conducted at both the application and network layers biannually or after major changes to the security environment.
-
Identified vulnerabilities from scans and penetration tests must be assessed for risk and compared against acceptable risk thresholds. Any vulnerabilities exceeding acceptable risk levels must be assigned to the appropriate personnel for remediation.
-
Remote access to computing systems must adhere to Clackamas Community College Remote Access Standards and minimize security risks to an acceptable level.
-
Procedures for accessing and modifying critical systems, configurations, and files must be documented in alignment with regulatory standards and industry best practices.
-
The Information Security Team must stay informed about security issues and vulnerabilities affecting Clackamas Community College computing systems and communicate necessary updates to relevant parties.
-
Security and system configuration standards must be updated as needed to address vulnerabilities, updates, regulatory requirements, and evolving risk tolerance levels.
-
A structured patching schedule must be in place for all applications, operating systems, firmware, and other updatable components. Critical vulnerabilities must be patched in a timely manner based on the associated risk. ITS leadership must maintain a documented plan to phase out components that can no longer receive security updates due to end-of-life or end-of-support status.
-
The Chief Information Security Officer (CISO) must oversee a formal risk assessment process to identify and address existing or emerging threats and vulnerabilities to Clackamas Community College assets.
-
The CISO must approve and track the activation and deactivation of remote access paths and accounts.
Mobile and Remote Access Security
-
Any computer or laptop used for remote access to non-public Clackamas Community College resources via the Internet must have the following CISO-approved security controls enabled:
-
Personal firewall software
-
Anti-virus software, as specified in Policy 107
-
Clackamas Community College’s authentication solution with a VPN client supporting the user's requirements
-
All remote users connecting to Clackamas Community College networks must be authenticated in accordance with Policy 102.
Exemptions
None.
Exceptions
Exceptions to this policy require prior written approval from the Chief Information Officer (CIO).