Level 2

Server operators

SA14: People responsible for the operation of servers must have the skills, experience and/or training needed to implement these requirements.

Highest classification

SA13: Servers storing or processing information belonging to more than one classification must meet the requirements associated with the highest classification.

No shared accounts

SA11: Server operators must not knowingly permit shared user account credentials.

Current patches

SA9: Operating system and application patches must be current and supported by the vendor or Open Source project.

Password Management

SA8: Mechanisms for users to set or change passwords must be secure. Systems that manage passwords must be configured securely. Storage and management of passwords requires L4 security.

Stored passwords

SA7: Systems that manage user passwords must be designed in such a way that the passwords are not retrievable by administrators.

Appropriate user access

SA6: Users must only be permitted to access a server or application after their current business need for access has been established.

Server communication

SA3: Communications between servers or applications and client machines must be protected. 

Complex passwords

SA2: Servers and applications that manage passwords must force the setting of a complex password. This must meet the following requirements where technically feasible (consult the Security office if the following requirements are not technically feasible):... Read more about Complex passwords

Application owner and classification level

SA1: Server operators must be able to identify a responsible party, known as the business application owner, for each application on the server and the data classification level of the information that the application stores and processes.