Northeastern University System and Information Integrity Standard
Related Policy: Northeastern University Information Security Policy
Responsible Office: Office of Information Security (OIS)
Purpose and Scope
Northeastern University is committed to securing its data and providing clear and concise guidance on protecting the many information technology (IT) systems we use. Given the widespread use and diversity of the types of IT systems employed within Northeastern University, it is paramount that a technology-agnostic set of standards are in place and uniformly applied across all IT systems.
This standard establishes the minimum system and information integrity criteria to carry out and meet the intent of the directives within Northeastern University’s Information Security Policy. This standard applies to all organizations (e.g., academic entities, entities other than Colleges and Departments, legally separate but wholly owned entities) of Northeastern University.
IT systems are considered in the scope of this standard if they utilize any of the following: Northeastern’s Network, ITS troubleshooting or administration, OIS incident response or investigation, or a Northeastern Microsoft account (e.g., @northeastern.edu).
System and Information Integrity Overview
The System and Information Integrity (SI) domain focuses on ensuring systems are free from flaws and that data integrity is maintained. SI is achieved by identifying and remediating flaws and preventing malicious content from entering the environment.
Roles and Responsibilities
The following high-level functional roles support the system and information integrity processes for IT systems. In some cases, there may be more than one functional role associated with a specific process or task; similarly, more than one person may perform some roles. The following describe the roles and responsibilities associated with risk assessment within the Northeastern University environment.
Chief Information Security Officer (CISO): Individual responsible for the overall Northeastern University information security program.
Information Technology Services (ITS): Northeastern University’s centralized technology resource providing enterprise platforms, information security, and IT operations.
System Administrator: An organization or individual responsible for setting up and maintaining an IT system, appliance, or specific IT system elements. This role revolves around hands on management of the IT system, usually more technical in nature than the System Owner. They are also responsible for implementing approved secure baseline configurations, incorporating secure configuration settings for IT products, and conducting/assisting with configuration monitoring activities as needed.
Depending on the size of the IT system, these responsibilities can be split across multiple skill-based domains listed below. These domains can be managed by separate teams across Northeastern University depending on the skills necessary to carry out the listed responsibilities.
- Infrastructure: manages any servers that are not aligned to a specific skill-based domain listed below.
- Network: manages all hardware and IT systems related to managing network communications.
- Security: manages all IT systems that ensure and confirm security of the environment. Sentinel, Defender, Tenable, Azure, Intune, Windows Cloud PC, etc.
- Desktop: manages the physical workstations and the software installed on them.
- Identity: manages IT systems that control identity-based access, like Entra ID.
System Owner: An individual or organization responsible for the development, procurement, integration, modification, operation, and maintenance, and/or final disposition of an IT system.
Also responsible for establishing, tracking, and maintaining the inventory of information technology products and IT systems which process, transmit, or store Northeastern University information; to include hardware, software, and firmware. Depending on the size of the IT system, these responsibilities can be assigned to someone with a role closely aligned to that of an Asset Manager.
Standard
This standard is scoped primarily around a subset of the National Institute of Standards and Technology (NIST) 800-171 controls to protect the confidentiality, integrity, and availability of information. The related NIST controls have been tagged (e.g., 3.14.1) in the text below to identify where each listed responsibility inherits its requirements from.
As the system and information integrity capability is matured over time, additional controls may be considered to augment confidentiality and address the availability and integrity of information. Additionally, when implementing the criterion of this document, organizations may choose to implement stricter criteria; however, the criterion cannot be lessened without formal exception by the Northeastern University Chief Information Security Officer (CISO) as described in the Compliance section of this standard.
Identify and Manage Information System Flaws
(3.14.1) The System Administrator is responsible for performing vulnerability scans in accordance with the Northeastern University Information Security Policy and Northeastern University Risk Assessment Standard.
The System Administrator is responsible for correcting identified flaws (e.g., patch application, firmware update, configuration changes) in accordance with the Northeastern University Information Security Policy and Northeastern University Configuration Management Standard.
(3.14.3) The System Administrator is responsible for monitoring IT system security alerts and advisories and responding in accordance with the Northeastern University Information Security Policy and Northeastern University Risk Assessment Standard.
Identify Malicious Content
(3.14.2) The System Owner is responsible for identifying the IT system inventory in accordance with the Northeastern University Information Security Policy and Northeastern University Configuration Management Standard.
The System Administrator is responsible for implementing malicious code protections for boundary protection devices (e.g., firewalls, proxies), endpoints (e.g., laptops, mobile devices), and servers.
(3.14.4) The System Administrator is responsible for configuring malicious code protection mechanisms (e.g., antivirus software) to auto update (e.g., virus signature definitions), at a minimum, daily. The System Administrator is also responsible for configuring malicious code protection mechanisms to alert upon update failures in accordance with the Northeastern University Information Security Policy and Northeastern University Audit and Accountability Standard.
(3.14.5) The System Administrator is responsible for configuring malicious code protection mechanisms in accordance with the following criterion:
Table 1. Malicious Code Protection Configurations
| Category | Required Settings |
|---|---|
| Periodic Scans | • Run full system scans, at a minimum, weekly • Perform real-time scans of files from external sources (e.g., email, flash drive) upon download, open, or execution of files |
| Quarantine | • Prevent execution of discovered malicious content • Quarantine the malicious content |
Definitions
The following definitions have been derived from industry standard definitions provided by the National Institute of Standards and Technology (NIST) Computer Security Resource Center Glossary1 and, where appropriate, tailored for Northeastern University’s IT environment.
Flaw: Weakness in an IT system, system security procedures, controlled controls, or implementation that could be exploited or triggered by a threat source.
Information System: A discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information.
Information Technology (IT): Computing and/or communications hardware and/or software components and related resources that can collect, store, process, maintain, share, transmit, or dispose of data. IT components include computers and associated peripheral devices, computer operating systems, utility/support software, and communications hardware and software.
Malicious Code: Software or firmware intended to perform an unauthorized process that will have adverse impact on the confidentiality, integrity, or availability of an IT system (e.g., virus, worm, Trojan horse, spyware, some forms of adware).
Organization: An entity of any size, complexity, or positioning within an organizational structure (e.g., school, department, lab, operational elements).
Compliance
This standard complies with the directives defined in the Northeastern University Information Security Policy. The university recognizes that on rare occasions there might be compelling reasons to consider allowing an organization to operate outside of the criterion defined in this standard, as derived from the Northeastern University Information Security Policy. To facilitate this consideration the System Owner must submit a petition for a risk-based policy exception in writing, including supporting rationale, and forward it to the Northeastern University CISO for review and approval. All approved risk-based policy exceptions must be formally documented by the Northeastern University CISO and indicate the exception duration (e.g., temporary, long-term). The Northeastern University CISO is responsible for disseminating and communicating all risk-based exception approvals and rescissions to the relevant stakeholders in a timely manner.
Change and Review Log
| Date | Description | Version | Editor |
|---|---|---|---|
| 01/7/2025 | Initial draft for Stakeholder Review | 0.1 | Esau Johnson |
| 1/24/2025 | Manager review before stakeholder review | 0.2 | Brad Wing |
| 9/3/2025 | Final draft approved by CISO | 1.0 | Brad Wing |
Appendix A. Northeastern University System and Information Integrity Standard Summary
The table below summarizes the Northeastern University IT system environment minimum criteria for enabling system and information integrity capabilities within the Northeastern University IT system environments.
- The first column “Northeastern University Practice ID” identifies the related Northeastern University practice ID as defined in the NIST 800-171.
- The “Northeastern University Practice Statement” column includes the Northeastern University practices required to be met for that control.
- The third column, “Derived Requirement”, provides a description of the requirement derived from the high-level Northeastern University practice statement. Derived requirements were developed from analysis of the intent of the practice and the logical components required to satisfy the practice. In some instances, an Northeastern University practice statement may be derived into several requirements to be addressed to satisfy the Northeastern University practice.
- The final column, “Northeastern University IT system environment Criteria”, defines the minimum criteria (e.g., configurations, actions, responsibilities, practices, etc.) which the university will implement to satisfy the related Northeastern University practice.
| Northeastern University Practice ID | Northeastern University Practice Statement | Derived Requirement | Northeastern University Environment Criteria (Northeastern University Practice Implementation) |
|---|---|---|---|
| 3.14.1 | Identify, report, and correct information and information system flaws in a timely manner. | Identify Flaws | The System Administrator is responsible for: • Performing vulnerability scans in accordance with the Northeastern University Information Security Policy and Northeastern University Risk Assessment Standard. |
| Correct Flaws | The System Administrator is responsible for: • Correcting identified flaws (e.g., patch application, firmware update, configuration changes) in accordance with the Northeastern University Information Security Policy and Northeastern University Configuration Management Standard. | ||
| 3.14.2 | Provide protection from malicious code at appropriate locations within organizational information systems. | Identity Systems | The System Owner is responsible for: • Identifying the IT system inventory in accordance with the Northeastern University Information Security Policy and Northeastern University Configuration Management Standard. |
| Protect Systems | The System Administrator is responsible for: • Implementing malicious code protections for boundary protectiondevices (e.g., firewalls, proxies), endpoints (e.g., laptops, mobile devices), and servers. |
| 3.14.4 | Update malicious code protection mechanisms when new releases are available. | Update Definitions | The System Administrator is responsible for: Configuring malicious code protection mechanisms (e.g., antivirus software) to auto update (e.g., virus signature definitions), at a minimum, daily. Configuring malicious code protection mechanisms to alert upon update failures in accordance with the Northeastern University Information Security Policy and Northeastern University Audit and Accountability Standard. |
| 3.14.5 | Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed. | Periodic Scans | The System Administrator is responsible for: • Configuring malicious code protection mechanisms in accordance with the following criterion: • Run full system scans, at a minimum, weekly. • Perform real-time scans of files from external sources (e.g.,email, flash drive) upon download, open, or execution of files |
| Quarantine Malware | The System Administrator is responsible for: • Configuring malicious code protection mechanisms to: • Prevent execution of discovered malicious content. • Quarantine the malicious content. | ||
| 3.14.3 | Monitor system security alerts and advisories and take action in response. | Monitor & respond | The System Administrator is responsible for: • Monitoring IT system security alerts and advisories and responding in accordance with the Northeastern University Information Security Policy and Northeastern University Risk Assessment Standard. |
Appendix B. System and Information Integrity References
The following list of references are common industry standards used to carry out the risk assessment criterion defined within this standard.
- NIST Special Publication (SP) 800-40 Rev. 3 Guide to Enterprise Patch Management Technologies, https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-40r3.pdf
- NIST SP 800-83 Rev. 1 Guide to Malware Incident Prevention and Handling for Desktops and Laptops, https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-83r1.pdf