. .

Recent News

The Compensating Controls & Exceptions Form is up

Here are the Compensating Controls & Exception process submision forms for the UCSS.

GeoTrust SSL Certificate Purchasing Explained

Instructions on how to order SSL Certificates through GeoTrust can be found on this page

Security Boot Camp outline up for comment

The CIO Security Group is developing an "Information Security Boot Camp" program that will be taught later this year. Comment on the proposed outline is encouraged during development. Check out the basic outline here

Check the Blackhole List

To see the current Blackhole listing click here

Report an Incident

To report a security breach or other security incident send an email to Security@osu.edu

Blanket Compensating Controls & Exceptions for University Computer Security Standards

This page contains the current blanket compensating controls and exception categories for a number of general classes of devices. The page is organized by the standard to which the blanket approvals are related (For instance the Minimum Computer Security Standard (MCSS), Critical Server Security Standard (CSSS), etc.)

Blanket categories apply only to devices with regard to a specific standard unless otherwise noted.

Note: The "Partial Exception" is a change that was necessary once we began evaluating the blanket exceptions. These are not normally the process for Exception/Compensating Controls but due to the broad nature of the Blanket Exceptions it was necessary to bend this restriction. In most cases we expect Compensating Controls and/or Exceptions will be a single solution and not a hybrid of the two.

Return to the Compensating Controls and Exceptions Request Page
Return to the University Computer Security Standards Page

Devices for the Minimum Computer Security Standard (MCSS)
-> Firewalls
-> Network Switches
-> Network Printers
Devices for the Critical Server Security Standard (CSSS)
Devices for the Web Server Security Standard (WSSS)
Devices for the Database Server Security Standard (DSSS)

Blanket Compensating Control and Exceptions by Device Type - MCSS

DRAFT- MCSS COMPLIANCE FOR NETWORK FIREWALLS

Device: FIREWALL - A firewall is a dedicated appliance, or software running on another computer, which inspects network traffic passing through it, and denies or permits passage based on a set of rules.." Adapted from Wikipedia:Firewalls

By Element:
1. The device must be guarded by an up-to-date and active firewall set to protect it from unauthorized network traffic.
EXCEPTION/COMPENSATING CONTROL: Network firewalls are excepted from this requirement. However, as a compensating control, the firewall must be using a default-block ruleset to block all unauthorized attempts to connect with the firewall.

2. Current operating system and application software with current security patches must be installed.
PARTIAL EXCEPTION: It is not required that network firewalls run the most current version of the operating system.
COMPLIANCE REQUIRED: When the firewall manufacturer issues an operating system patch that addresses a vulnerability deemed critical (or equivalent terminology) by the manufacturer, the patch must be applied in a timely manner. If there is no identifiable manufacturer (as is the case with FreeBSD based firewalls) alerts by NIST identifying critical vulnerabilities are equivalent notification.

3. The device must be protected against malicious or undesired software such as viruses, spyware, or adware.
PARTIAL EXCEPTION: Network firewalls are excepted from most of this requirement, since in general anti-malware is not available for these devices. However, network firewalls should use anti-virus software when 1) it is available for the underlying host operating system and 2) the device's performance is not adversely affected by the anti-virus software.

The decision to use or not use anti-virus software rests with the systems administrator; in either case the basis of the decision must be documented.

4. Access to the device must require appropriate authentication controls such as account identifiers and robust passwords. COMPLIANCE REQUIRED: as part of an authentication/authorization implementation, administrators should consider permitting access from authorized IP addresses only

Return to the top

DRAFT- MCSS COMPLIANCE FOR NETWORK SWITCHES

"Network Switch: a computer networking device that connects network segments.... Network switches are capable of inspecting data packets as they are received, determining the source and destination device of that packet, and forwarding it appropriately." Adapted from Wikipedia: Network Switch. Network switches may be either managed or unmanaged; unless otherwise noted, the exemptions below apply to both types.

By Element:
1. The device must be guarded by an up-to-date and active firewall set to protect it from unauthorized network traffic. EXCEPTION/COMPENSATING CONTROL: Network switches are excepted from this requirement, since device level (aka client) firewalls are not available for these devices. However a compensating control must be put in place: the device must be configured to restrict access to any control interfaces such as Telnet, SNMP, SSH, web, etc. to prevent unauthorized users from gaining access to the device. This compensating control may be omitted if the device does not support this configuration.

2. Current operating system and application software with current security patches must be installed.
PARTIAL EXCEPTION: It is not required that network switches run the most current version of the operating system.
COMPLIANCE REQUIRED: When the switch manufacturer issues an operating system patch that addresses a vulnerability deemed critical (or equivalent terminology) by the manufacturer, the patch must be applied in a timely manner.

3. The device must be protected against malicious or undesired software such as viruses, spyware, or adware.
EXCEPTION: Network switches are exempted from this requirement, since anti-malware is not available for these devices.

4. Access to the device must require appropriate authentication controls such as account identifiers and robust passwords. COMPLIANCE REQUIRED: as part of an authentication/authorization implementation, administrators should consider permitting access from authorized IP addresses only. Devices that allow administration must follow the MCSS robust password requirement and cannot use a default manufacturer password. Devices that are unmanaged are excepted from this requirement.

Return to the top

DRAFT- MCSS COMPLIANCE FOR NETWORK PRINTERS

Network Printer: Many printers are primarily used as local computer peripherals, and are attached by a printer cable to a computer which serves as a document source. Some printers, commonly known as network printers, have built-in network interfaces (typically wireless or Ethernet), and can serve as a hardcopy device for any user on the network (LAN and/or WAN). These printers are often designed to support both local and network connected users at the same time.

In addition, many modern printers can directly interface to electronic media such as memory sticks or memory cards, or to image capture devices such as digital cameras, scanners; some printers are combined with a scanners and/or fax machines in a single unit. Printers that include non-printing features are sometimes called Multi-Function Printers (MFP) or Multi-Function Devices (MFD). Adapted from - Wikipedia: Computer Printer.

By Element:
1. The device must be guarded by an up-to-date and active firewall set to protect it from unauthorized network traffic.
EXCEPTON/COMPENSATING CONTROL: Network printers are excepted from this requirement, since device level (aka client) firewalls are not available for these devices. However a compensating control must be put in place: the device must be configured to restrict access to any control interfaces such as Telnet, FTP, SNMP, SSH, web, etc. to prevent unauthorized users from gaining access to the device.

As part of an authentication/authorization implementation, administrators must permit access from authorized IP addresses only. Printing from the Internet must be tunneled through a secure service like VPN that requires authentication. Use of router ACLs to prevent external/unauthorized devices access to network printers from the local/OSU network is also recommended.

2. Current operating system and application software with current security patches must be installed.
PARTIAL EXCEPTION: It is not required that network printers run the most current version of the operating system.
COMPLIANCE REQUIRED: When the printer manufacturer issues an operating system patch that addresses a vulnerability deemed critical (or equivalent terminology) by the manufacturer, the patch must be applied in a timely manner.

3. The device must be protected against malicious or undesired software such as viruses, spyware, or adware.
EXCEPTION: Network printers are exempted from this requirement, since anti-malware is not available for these devices

4. Access to the device must require appropriate authentication controls such as account identifiers and robust passwords.
COMPLIANCE REQUIRED: Network Printers that offer built in management features and web page control interfaces must be protected by robust passwords and cannot use the default manufacturer password.

Return to the top

Blanket Compensating Control and Exceptions by Device Type - CSSS

Device categories pending review

Return to the top

Blanket Compensating Control and Exceptions by Device Type - WSSS

Device categories pending review

Return to the top

Blanket Compensating Control and Exceptions by Device Type - DSSS

Device categories pending review

Return to the top

Return to the Compensating Controls and Exceptions Request Page
Return to the University Computer Security Standards Page