...
- Until vetted, these machines are firewalled as described in the Installation Subzone.
- An accepted vulnerability and patch management plan must be in place.
- Disable any unnecessary services and accounts, and enforce with host-based firewalls where possible.
- Inform Security if the list of services changes.
- Enable host-based brute-force mitigations utilizing the security team's host-based IDS if possible.
- Forward system logs to the security team's log collector.
- Utilize non-local accounts for remote access unless otherwise approved.
- Require two-factor bastions, jump-hosts or VPNs for access to administrative interfaces.
- Routing, traffic forwarding, network bridging bridging subnets and other forms of network internetwork traffic proxy is prohibited without expressed permission from Security & Networking.
- Maintain and enforce a list of authorized administrators, and keep records up-to-date so that Security can quickly determine responsible parties for the system. At least one responsible party must be a full-time employee working at the NCSA.
- Provide Security with accounts on the system or a way to quickly get access 24/7 for emergencies.
- Notify Security of any sensitive, confidential or regulated data expected to be on the system.
...
- Use two-factor authentication for administrative access or escalation, or request an exemption from Security.
- Disable routing, traffic forwarding, network bridging bridging between subnets and other forms of network internetwork traffic proxy through the host unless approved by Security & Networking.
- Label systems in the rack and keep labels up-to-date.
- Maintain and provide the security team with:
- accounts on the system or a way to quickly get access 24/7 for emergencies
- purpose of the system and notification of any sensitive or confidential data
- a list of authorized administrators and a responsible full-time NCSA staff person
- a list of necessary services/ports open
- a plan for vulnerability and patch management
...
- Follow all campus and NCSA employee policies regarding software updating, virus scanning, data security, incident reporting, etc.
- Register with an NCSA ID to receive an IP address and give a point-of-contact for Security as part of the process.
- The default network type is firewalled, though users can opt-out
- Network registration is only for NCSA staff and should not be done for guests. Guest accounts and temporary registrations are available for these use cases.
- Reregistration is required annually.
- Do not bridge networks subnets without approval from Networking & Security.
- Business Office systems are administered and maintained by ITS, and the corresponding workstations and laptops are on a firewalled network.
...