User must agree annually (via confidentiality reminder) to only access the specific information they have a business reason to access.

Make use of user groupings to determine authorization (for example, via groups in ActiveDirectory or LDAP or by using AuthZProxy or Grouper).

Send a list of active accounts to the business owner monthly to review; ideally this will be done via a trackable mechanism such as Service Now.

Disable account access if user leaves University or changes jobs such that they no longer have a business need to access the information; the best way to do this is by using the central authentication service.

On Windows the default built-in Administrator account must be renamed. Also, the default built-in Guest account must be disabled. 

 If not using one of the above servers then encryption should be implemented where technically and economically feasible.

Remote login to all servers must only permit the use of encrypted communications such as ssh. Windows servers must enforce a minimum of 128-bit encryption for Terminal Services and Remote Desktop communication. All servers running SSH must use a minimum of protocol version 2. Use of VPN is advised where available.

Windows file servers running SMBv3 must only permit use of encryption.

More information.

Disable the non-secure port.

For database communication, either use SSL or any other available option to encrypt data over the network

More information.

How to set up an HTTPS Service in
IIS - https://support.microsoft.com/kb/324069
Apache - https://httpd.apache.org/docs/current/ssl/ssl_howto.html 

More information on Linux

More information on Windows

Server operators should implement LDAP, AD, IAM as best practice where possible. Two factor authentication is required for any system handling L3/medium risk data and above.