S-13 Update FAQ

Where is the standard?

https://www.purdue.edu/policies/information-technology/s13.html

What changes were made?

The most significant changes are additional requirements to sections on Authentication, General Security Controls and Remote Access Controls. Additionally, Endpoint Protection Software.

The following is a summary of added requirements: 

Privileged Access to Purdue IT Resources must utilize Multi-factor Authentication method(s) approved by the CIO.
University servers, end user computers (e.g., laptops and desktops) and other applicable Devices (e.g., virtual machines), unless exempted by the CISO, must have appropriate working Endpoint Protection Software installed prior to any new or continued connection to University IT Resources.
Mass storage systems, unless exempted by the CIO or CISO, must be periodically backed up in a way that creates indelible copies with verified integrity.
Networked systems, unless exempted by the CIO or CISO, must send appropriate logs (as defined in IT Resource Logging (S-11) standard) to the central university logging service/aggregator.
Remote Access to Purdue IT Resources must use one of the following:
1. An encrypted virtual private network (VPN) approved by the CIO or CISO, or
2. Another encrypted connection approved by the CIO or CISO.

When will the new requirements be enforced for existing systems or accounts that are not in compliance?

A plan must be in place by December 31, 2022, and compliance is required by June 30, 2023. However, the endpoint protection requirements are effective immediately and should be addressed as soon as possible.

What if compliance is not feasible for a system or account?

Systems or accounts that are not in compliance will need mitigating controls in place. A security policy exception will be needed for these cases. The security exception process can be found at the following: Security Policy/Procedures Exceptions - Secure Purdue - Purdue University

What is the security policy exception process?

Information about the security policy exception process can be found at the following: Security Policy/Procedures Exceptions - Secure Purdue - Purdue University

When should I file a security policy exception?

After all feasible options to comply have been exhausted. Questions about compliance options can be sent to itpolicyreq@purdue.edu.

What is privileged access?

Privileged access and privileged accounts are defined in the S-13 and S-15 standards respectively. Privileged access is defined as:

Elevated or administrative access privileges beyond those of a general user Career Account. For example, accounts such as root, local administrator, domain administrator, OU admin, super user, and emergency or “break glass” have Privileged Access.

The Privileged Account definition is similar and includes applicability to system or application accounts.

Any questions regarding privileged access or accounts can be sent to itpolicyreq@purdue.edu.

Will existing privileged accounts need to be changed to require Muti-Factor Authentication, or will a VPN that requires it satisfy the requirement?

Limiting remote access paths through MFA administrative only use gateways (e.g., VPN, jump server, etc.), in some form, will likely be determined acceptable. This is being discussed and more details will be provided at a later date.

What are the approved Multi-factor Authentication (MFA) method(s) by the CIO?

The current approved methods are Duo (BoilerKey) and Microsoft multi-factor authentication. The following are links to more information about these methods:

Microsoft MFA: Microsoft multi-factor authentication | Purdue University

BoilerKey: BoilerKey: Two-Factor Authentication | Purdue University

What are acceptable methods for enforcing MFA when it comes to administrative access?

Acceptable methods for enforcement:

VPN that enforces MFA
Avoid allowing general use profiles like WebVPN/WebVPN2 to your servers
These should only be used if the system being accessed enforces MFA
Restrict to just what is necessary
IT Admins should still connect to the VPN from a University owned machine
The best approach is separate terminal server, jump host, administrative workstation, or administrative VDI so you can separate your general user activity (email, web browsing, etc.) from your administrative IT duties.
The terminal server/jump host/VDI could enforce MFA or a VPN requiring MFA could be used to get to the terminal server/jump host/VDI.

What is the appropriate Endpoint protection for all university owned machines?

The current standard for university machines is Cisco Secure Endpoint (formerly known as Cisco AMP).

Please send questions to security@purdue.edu if alternative endpoint protection is in use.

What is Cisco Secure Endpoint?

Secure Endpoint is a single-agent solution that provides comprehensive protection, detection, response, and user access coverage to defend against threats to our endpoints.

Which Operating Systems does Secure Endpoint run on?

A list of compatible operating systems can be found at the following: Cisco Secure Endpoint Data Sheet - Cisco

Do non-University devices need endpoint protection?

Yes, if the device will be connecting to Purdue university network. The list of recommended endpoint protection products for the University is:

Microsoft Defender (Already built into Windows 10 & 11 devices)
Immunet
Sophos
Malware Bytes

The University does not provide support for non-University devices, including the installation of endpoint protection.

What controls should be in place if we have a system that can’t run Cisco Secure Endpoint?

The following controls are recommended when cisco secure endpoint can't be used:

Remove from the network where possible
Purchase extended security updates if available
Apply application patches even if OS patches aren’t available
Move to private VLAN or heavily restrict with network and local firewalls
Ensure vulnerability scanning is happening
Mitigations should be confirmed for any critical vulnerabilities.
Determine if an open source or free anti-virus version might support the outdated or unsupported OS (ex. ClamAV, Immunet, MalwareBytes, ect.)
Limit USB ports, disk drives or hardware that can be used to transfer files
Document a mitigation and migration plan to include with the Security Exception
Verify that centralized logging is taking place for the system and applications

What devices should be configured to export logs to the central collectors?

The following devices should send logs:

Any device that can export logs, should send them to the centralized collectors
Logs sent to the centralized PSS collectors can be forwarded to Splunk as needed
Review the logging standard for a definition of what to send: https://www.purdue.edu/policies/information-technology/s11.html
Questions can be sent to security@purdue.edu

Is this FAQ a static document?

New questions and answers may be added to this FAQ over time.

What is the change history of this FAQ?

This FAQ was published November 1st, 2022. It was last updated on January 5th, 2023.

January 5th, 2023 changes:

Added "What are acceptable methods for enforcing MFA when it comes to administrative access?"
Added "What controls should be in place if we have a system that can’t run Cisco Secure Endpoint?"
Added "What are acceptable options for allowing vendors access to systems they are contractually obligated to support?"

This FAQ did not address my question about the S-13 policy changes. Now what?

Please send questions here. Include the policy or standard reference (in this case, “S-13”) in the subject line. Questions received will be answered and used to improve content in the FAQ.