...

Introduction

NCSA logically divides its network into several different trust zones. Traffic between these zones is monitored by a Network Intrusion Detection System (NIDS), but traffic within a single zone may not be visible to the NIDS. Therefore, systems within a single zone must be trusted and hence hardened to a similar level.

...

For the purposes of this document, production systems are defined as any system, to include allocated systems, intended to provide reliable computational and/or data services to a networked constituency. These systems include not only “customer facing” hosts, such as web servers, file servers, login nodes, etc., but also the infrastructure required to support these systems, such as backend database servers, backup and storage systems, authentication servers, etc.

NCSA

...

Internal Infrastructure Board (IIB)

The leaders of ADS (Advanced Digital Services), ITS (Information Technology Services), and Security are responsible for application of this policy. These three groups are the service providers of infrastructure at NCSA and meet regularly to discuss security issues and strategy for providing better services.

...

The Advanced Computational Health Enclave (ACHE) is a physically and virtually segmented zone used exclusively for processing and storing electronic personal health information sensitive data include electronic Protected Health Information (ePHI) and Controlled Unclassified Information (CUI). 

Types of Systems:

ACHE is the only approved space for storing and processing ePHI and CUI, and both physical and electronic access is restricted to those staff who need itworkforce members with approved access. These systems often have high-availability needs, and hence this zone has a separate UPS backup system. Like the HPDC zone, these systems are first built in a firewalled subzone until fully vetted by the security team, which is responsible for the regular auditing of the systems against the additional security requirements below.

...

• Until vetted, these machines are firewalled as described in the Installation Subzone.

Informational Requirements for ePHI:

• The authorized set of administrators must all be in workforce members of the NCSA Health Care Component (NHCC), and this group's access must be automated by a process approved by the NCSA HIPAA liaisonLiaison.
  • The security operations team is part of this group and must be able to access systems 24/7 in an emergency.
• It is assumed that ePHI, which is high risk data, is on these systems. These are not dual-use systems but are only for work related to health and medicine. The NCSA HIPAA liaison Liaison must be informed of any data from new type of data sources on these systems, especially when personally identifying information is recorded.
• Accepted Approved (by the NCSA HIPAA liaisonLiaison) vulnerability and patch management procedures must be in place.
• Accepted Approved (by the NCSA HIPAA liaisonLiaison) change control procedures must be implemented and documented.
• Local and privileged account passwords are managed with the NCSA-provided, two-factor password management solution.

...

Informational Requirements

...

for CUI:

• The authorized set of administrators must all be workforce members of the NCSA Staff with ACHE Access, and this group's access must be automated by a process approved by the NCSA CISO.
  • The security operations team is part of this group and must be able to access systems 24/7 in an emergency.
• It is assumed that CUI, which is high risk data, is on these systems. These are not dual-use systems but are only for work related to research involving CUI. The NCSA CISO must be informed of any data from new sources on these systems, especially when personally identifying information is recorded.
• Approved (by the NCSA CISO) vulnerability and patch management procedures must be in place.
• Approved (by the NCSA CISO) change control procedures must be implemented and documented.
• Local and privileged account passwords are managed with the NCSA-provided, two-factor password management solution.

Host Configuration Requirements:

• All unnecessary services and accounts must be disabled

...

• Disable any unnecessary services and accounts, and enforce with host-based firewalls where possible.
• Enable host-based brute-force mitigations utilizing the security team's host-based IDS if possible.
• Forward system logs System logs must be forwarded to the security team's log collector.
• Two-factor authentication is required for remote access. Single-sign-on is limited to 10 million seconds, the lifetime of a short-lived grid certificatelifetime of a short-lived grid certificate.
• Brute-force mitigations will be utilized if a system's access path does not support two-factor.
• User are automatically logged-off after 12 hours of inactivity. 
• for inactivity, and SSH sessions do not last more than 24 hours.
• Require Access to administrative interfaces requires two-factor bastions, jump-hosts or VPNs for access to administrative interfaces.
• Routing, traffic forwarding, bridging subnets and other forms of internetwork traffic proxy is prohibited without expressed permission from Security & Networking.
• ePHI is and CUI are encrypted on storage devices and only accessible to proper customer/data owner.
• Shared, writable file-systems must be securely wiped between jobs from different users or organizations.
• Data transfer endpoints must be whitelisted and scoped to the customer's networks.
• Only encrypted methods of data movement are allowed that also protect the integrity of data in transit.
• Motd and other welcome screens for users or administrators must remind them of the systems's sensitivity, the requirement for laptop encryption, that the system is only for authorized staff and clients, and the University's policies for HIPAA protected data, including HIPAA and CUI policies.

Network Monitoring:

All external links in and out of this zone are monitored by the NIDS. New hosts that appear on this network but that have not been vetted and approved may be automatically or manually blocked at the border gateway until investigated and vetted. Network traffic entirely within this zone is unmonitored by the NIDS, but network flows are collected.

...

Servers, whether supporting internal NCSA services or NCSA projects and their customers, are important, and their compromise can have a significant effect on NCSA productivity and reputation. Whether or not they are even considered production servers, the impact can be significant if the data on the systems is exposed due to privacy considerations, regulatory & legal requirements, or confidentiality agreements. Therefore, certain accountability is still required of all these systems.

Informational Requirements:

Systems or their administrators must:

...