This is an example “Guidebook” to follow in order to enroll a computer in a specific tier in the CU Boulder Secure Computing Framework. The system in question must meet the criteria listed below.
Created by: Nathan Campbell, Matthew Hynes-Grace, Alan Fasick
| Tier Number | Thirteen |
| Tier Title | Research IT Managed Individual Server |
| Tier Description | Individual computing resource for research (small scale computational resource) |
| System Requirements/Constraints | CPU/memory needs to be dedicated to computation without risk of interruption. Commercial or custom software may be "frozen" with inability to update. Especially true for timeseries of research data where reproducibility is critical. |
| Examples: | Single node GPU, visualization, or custom application servers. |
System Details
| Type: |
|
| System Host Name: If Batch, please enter hostnames or IPs in a comma separated list |
|
| Secure Computing Tier: |
|
| Location: |
|
| Business Purpose: |
|
Tier Thirteen Minimum Requirements
This Tier requires the following requirements are met by the system. If this system cannot meet these requirements, please review the other tiers for a more relevant tier. [Link to Tier Info]
| R2 | Provide role-based access control for both OS and service/application access | |
| R3 | Log authentication and authorization events for server and service(s) provided. | |
| R6 | Apply OS and application security updated in compliance with vulnerability management standard | |
| R8 | Stateful firewall operational at all times whose ruleset is audited and updated on a semi-annual basis | |
| R10 | Custom-developed applications must be maintained and periodically assessed for vulnerabilities |
Exceptions and Compensating Controls
Does this system or set of systems following an industry-appropriate security framework for additional protective measures:
Which of the following frameworks are being implemented:
Once Submitted your request is complete. You do not need to fill out the rest of this form.
Please continue to fill out the rest of the form.
R1. Can this system run current and supported software?
This system meets R1 Security Standards.
Can one of the following compensating controls be put in place?
* = Required
R4. Is this system enrolled in the campus EDR solution?
This system meets R4 Security Standards.
Can one of the following compensating controls be put in place?
* = Required
R5. Is this system enrolled in campus vulnerability scanning solution or an approved equivalent?
This system meets R5 Security Standards.
Can one of the following compensating controls be put in place?
* = Required
R7. Is this system using encrypted backups with a minimum of 30 days being maintained on a rolling basis?
This system meets R7 Security Standards.
Can one of the following compensating controls be put in place:
* = Required
EXAMPLE Multi-Decision - R10. Does this system have custom-developed applications? (this question is not required for this Tier but is listed for demonstration purposes.
Is this software maintained and periodically assessed for vulnerabilities?
This system meets R10 Security Standards.
Can one of the following compensating controls be put in place:
* = Required
This system meets R10 Security Standards.
Additional System information
Is there any additional information that should be on file with OIT about this tier enrollment.