...
- Disable any unnecessary services and accounts, and enforce with host-based firewalls where possible.
- Enable host-based brute-force mitigations utilizing the security team's host-based IDS if possible.
- Forward system logs to the security team's log collector.
- Two-factor authentication is required for remote access. Single-sign-on is limited to 10 million seconds, the lifetime of a short-lived grid certificate
- User are automatically logged-off for inactivity, and SSH sessions do not last more than 24 hours.
- Require two-factor bastions, jump-hosts or VPNs for access to administrative interfaces.
- Routing, traffic forwarding, bridging subnets and other forms of internetwork traffic proxy is prohibited without expressed permission from Security & Networking.
- ePHI is encrypted in transit and reston storage devices and only accessible to proper customer/data owner.
- Shared, writable file-systems must be securely wiped between jobs from different users or organizations.
- Data transfer endpoints must be whitelisted and scoped to the customer's networks.
- Only encrypted methods of data movement are allowed that also protect the integrity in transit.
- Motd and other welcome screens for users or administrators must remind them of the systems's sensitivity, the requirement for laptop encryption, that the system is only for authorized staff and clients, and the University's policies for HIPAA protected data.
...