![]() If users are allowed protected data on their workstations, then the workstation should require an individual login and password.Users understand the requirement to lock their workstations when leaving the station. If users are allowed protected data on their workstations, then the workstation is protected against unauthorized access to a session by deploying screen savers.If users are allowed protected data on their workstations, then client workstations meet the minimum security standards.No "Spyware" is allowed on the application, web or database servers.Application code is reviewed for SQL injection vulnerabilities.Configuration files and source code are locked down and only accessible to required OS accounts.All servers, applications and tools that access the database are documented.All servers and clients meet minimum security standards. Destination systems (application/web servers) receiving protected data are secured in a manner commensurate with the security measures on the originating system.Provisions are made to maintain security patch levels in a timely fashion.Īpplication / Web Servers / Application Code Database software is patched to include all current security patches. ![]() Null passwords are not used, and temporary files from the install process that may contain passwords are removed.Unneeded default accounts are removed, or else passwords are changed from defaults.All unused or unnecessary services or functions of the database are removed or turned off.The database software version is currently supported by the vendor or open source project, as required by the campus minimum security standards.Regularly test machine hardening and firewall rules via network scans, or by allowing ISO scans through the firewall.If using the IST provided firewall service, the rules are also regularly reviewed by the Information Security Office (ISO). Firewall rules for database servers are maintained and reviewed on a regular basis by SAs and DBAs.Firewall rule change control procedures are in place and notification of rule changes are distributed to System Administrators (SAs) and Database Administrators (DBAs).Data obfuscation of production data is not sufficient. If the development environment cannot meet this requirement, then protected data is not stored in the development database server and mock data is made up for development. The database server firewall is opened only to specific application or web servers, and firewall rules do not allow direct client access.The database server is located behind a firewall with default rules to deny all traffic.Application and web servers are not hosted on the same machine as the database server. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |