Secure Computing

Minimum Security Controls for Devices, Systems and Servers

Introduction

Users who handle electronic Protected Health Information (ePHI), or other 3-Lock data are required to follow separate device security policies as required by law, regulation or contract. Please consult those policies for specific requirements (e.g. see, Policy 5100, Section 5100.12 or Policy 1602, Section 1602.2).

This document provides Information Security, Policy and Compliance's recommended posture for all information assets at Yale - even when the data you are dealing with is not 3-Lock data.

Sections:

 

Networking and Cloud Storage

Network Configuration
  • VPN is needed for remote access (e.g. logging into your workstation via Remote Desktop, or connecting to Yale network shares).
  • Only registered devices can attach to the Yale network (design and implementation in progress).
Cloud Storage
  • Use only Yale contracted cloud storage. Data stored in a private consumer cloud account is not accessible to Yale personnel in case of emergency. The probability that sensitive University data or sensitive personal data will be improperly shared is increased.

 

Workstations and Mobile Devices

All Workstations
  • Strong passwords are absolutely required. Unique (e.g. a different password for each service you use), strong passwords are recommended.
  • Refreshed hardware: Workstation hardware should be replaced on a regular basis. Using a 4-year replacement cycle is recommended. Lab equipment may require a much longer replacement cycle, however, the hardware should be replaced before support for the installed operating system ends. Many users have found it difficult to comply was newer security best practices (including full-disk encryption) due to performance issues experienced on older hardware -this is not a security technology problem but a technology refresh problem.
  • ITS provides centralized patch management (through the Managed Workstation Program) to help ensure the stability, availability and security of your workstation.
  • Anti-Virus software must be installed.
  • Separate Administrator Access Account: Daily tasks on the workstation should be completed using a regular user account, but each user may have a separate administrative account created for installing software and updates.
  • Each workstation should be assigned a private IP address. Public addresses are for websites that have external consumers. 
  • Full-disk encryption is required for workstations handling Lock-3 data, but is recommended for all workstations.
Additional Security for Laptops
  • All items included in the All Workstations configuration.
  • Full-disk encryption is mandatory. 
  • Security cables must be used to secure unattended laptops.
Mobile Devices
  • Passwords are required.
  • Encryption must be turned on.
  • Central authentication should be used when available (design and implementation in progress).

 

Servers and Databases

Servers
  • All items included in the All Workstations configuration.
  • Servers must be housed in data centers or in server rooms with badge readers for access and security alarms/monitoring. Badge readers allow you to account for who has physically accessed a server room in a way that traditional key-locked doors cannot.
Databases
  • All items included in the All Workstations configuration.
  • Databases must never be installed on webservers.
  • Separation of duties must be enforced: web developers should not be the same people as the database administrators.