Working with Servers

 

Application owner and classification level

SA1: Server operators must be able to identify a responsible party, known as the business application owner, for each application on the server and the data classification level of the information that the application stores and processes.

Complex passwords

SA2: Servers and applications that manage passwords must force the setting of a complex password. This must meet the following requirements where technically feasible (consult the Security office if the following requirements are not technically feasible):

Server communication

SA3: Communications between servers or applications and client machines must be protected. 

Appropriate user access

SA6: Users must only be permitted to access a server or application after their current business need for access has been established.

Stored passwords

SA7: Systems that manage user passwords must be designed in such a way that the passwords are not retrievable by administrators.

Password Management

SA8: Mechanisms for users to set or change passwords must be secure. Systems that manage passwords must be configured securely. Storage and management of passwords requires L4 security.

Current patches

SA9: Operating system and application patches must be current.

Malware detection

SA10: Servers must be running applicable malware detection software with up-to-date signature files.

No shared accounts

SA11: Server operators must not knowingly permit shared user account credentials.

Scanning servers

SA12: All University owned servers must be annually scanned for the presence of High Risk Confidential Information (HRCI).

Highest classification

SA13: Servers storing or processing information belonging to more than one classification must meet the requirements associated with the highest classification.

Server operators

SA14: People responsible for the operation of servers must have the skills, experience and/or training needed to implement these requirements.

Password guessing

SB2: Servers or applications must implement a mechanism that inhibits password guessing attacks on user accounts if the server or application does its own authentication.

Idle sessions

SB3: A mechanism must be used to force re-authentication to user accounts after an idle period.

Improper access

SB5: Servers must be protected from improper network-based access.

Theft or loss

SB6: Confidential information on servers and backup media must be protected against access in the case of physical theft or loss.

Logging access

SB7: User and administrator access to servers and applications must be logged.

  •  
  • 1 of 2
  • »