- All unnecessary services and accounts must be disabled, and enforce with host-based firewalls where possible.
- Host-based brute-force mitigations utilizing the security team's host-based IDS must be enabled if possible.
- System logs must be forwarded to the security team's log collector.
- Two-factor authentication is required for remote access. Single-sign-on is limited to 10 million seconds, the lifetime of a short-lived grid certificate.
- Brute-force mitigations will be utilized if a system's access path does not support two-factor.
- User are automatically logged-off after 12 hours of inactivity.
- SSH sessions do not last more than 24 hours.
- Access to administrative interfaces requires two-factor bastions, jump-hosts or VPNs.
- Routing, traffic forwarding, bridging subnets and other forms of internetwork traffic proxy is prohibited without expressed permission from Security & Networking.
- ePHI is encrypted on storage devices and only accessible to proper customer/data owner.
- Shared, writable file-systems must be securely wiped between jobs from different users or organizations.
- Data transfer endpoints must be whitelisted and scoped to the customer's networks.
- Only encrypted methods of data movement are allowed that also protect the integrity of data in transit.
- Motd and other welcome screens for users or administrators must remind them of the systems's sensitivity, the requirement for laptop encryption, that the system is only for authorized staff and clients, and the University's policies for HIPAA protected data.