Servers C

Connect servers individually to network devices

Servers on the subnet may be individually connected to network devices that are configured to block all server-to-server communications except where communication is specifically required.

Configure host based firewalls

Servers may be configured with host-based firewalls that are configured to block all server-to-server communications except where communication is specifically required.

Protecting Servers

SC9: Servers on the same subnet must be protected against attack from each other, whether the system is managed directly by Harvard or via contract with a third-party service provider for Harvard's use (e.g. IaaS, SaaS).

Inventory Level 4 servers appropriately

Inventory Level 4 servers on an annual basis. At a minimum, annually conduct a formal survey of server owners in your department and ask them to provide the following information for each server in their application portfolio:

  • Business or Practice name
  • Asset (server) name
  • System location
  • System purpose
  • Type of Level 4 information stored, e.g. SSN, credit card, bank account, driver's license, state ID, passport or visa, or biometric data
  • Type of environment, e.g. production, test, development
  • Server type, e.g. physical...
Read more about Inventory Level 4 servers appropriately

Keep Level 4 servers in secure locations

Level 4 servers must be kept in secure locations which are under University control and which restrict access to authorized users with verified credentials. For keyed access, doors must be locked and ID checked before allowing access. Whether card swipe or keyed access, all access must be logged and the logs must be periodically audited. Walls must be full height, i.e. floor to ceiling with no gaps.

Log activities on the Level 4 server

The logs of user activities on a Level 4 system should include the identity of the user, the user's IP address, the time and the action taken. This log is primarily for post incident analysis.

Designate users with permission to access applications

 Owners/managers of applications dealing with Level 4 information must designate which employees have permission to access the application from outside the Harvard wired network or other Harvard strongly authenticated and encrypted wireless network.

Configure firewalls appropriately

The firewall between the Level 4 server and networks that include user computers must be configured to only permit outbound traffic that is required properly operate the service provided by the Level 4 server

Implement annual vulnerability testing

 Server operators must take reasonable actions to ensure that Level 4 systems undergo at least annual vulnerability testing and vulnerability remediation.