Level 4

Track access to Level 4 information

Create a log of user access to level 4 data, identifying user name, date and time of access, and brief justification statement. Note access method (key or swipe).

Remote login must only permit the use of encrypted communications

Remote login to all servers must only permit the use of encrypted communications such as ssh. Windows servers must enforce a minimum of 128-bit encryption for Terminal Services and Remote Desktop communication. All servers running SSH must use a minimum of protocol version 2. Use 2-factor VPN to connect through the firewall first. 

Inventory Level 4 servers appropriately

Inventory Level 4 servers on an annual basis. At a minimum, annually conduct a formal survey of server owners in your department and ask them to provide the following information for each server in their application portfolio:

  • Business or Practice name
  • Asset (server) name
  • System location
  • System purpose
  • Type of Level 4 information stored, e.g. SSN, credit card, bank account, driver's license, state ID, passport or visa, or biometric data
  • Type of environment, e.g. production, test, development
  • Server type, e.g. physical...
Read more about Inventory Level 4 servers appropriately

Keep Level 4 servers in secure locations

Level 4 servers must be kept in secure locations which are under University control and which restrict access to authorized users with verified credentials. For keyed access, doors must be locked and ID checked before allowing access. Whether card swipe or keyed access, all access must be logged and the logs must be periodically audited. Walls must be full height, i.e. floor to ceiling with no gaps.

Log activities on the Level 4 server

The logs of user activities on a Level 4 system should include the identity of the user, the user's IP address, the time and the action taken. This log is primarily for post incident analysis.