Server Security
Getting Started With Server Security
All servers on campus (and the applications they run) must conform to Stanford University's minimum security standards. If you are running a server that is not managed TDS or UIT, you will need to make sure that you're following Stanford policies about keeping the data properly secured. Alternatively, you may choose to have your server moved to a data center and managed by TDS. Wherever it's physically located, you want to make sure that it's correctly configured for good security, including being put on a protected network.
SUSI
As part of the School of Medicine Security intitiative, all servers at the School of Medicine must also be entered into SUSI (Stanford University System Inventory). SUSI keeps track of all the servers on campus, automatically verifying several minimum security standards and identifying possible compliance issues. If you are listed as the user or administrator for a server (whether it's located in the Stanford Data Center or not, you must create a record for it in SUSI.
Server Exceptions
If your server cannot meet all of the Minsec standards for technical reasons, you will need to apply for an exception.
For more information, including what kinds of servers might qualify for an exception, visit the UIT site here »
Server Hosting
If you've determined that your server should be located in a data center and want to learn more, visit the Data Center Services page here »
Cookbooks
Minimum Security Standards require a large checklist of tasks to make sure servers are secured properly. (For one, all High Risk Linux servers should install the Linux Fixlet.)
UIT provides a list of cookbooks to simplify the process of securing your servers with Moderate or High Risk Data to the minimum security standards.
The School of Medicine requires servers with High Risk Data to install BigFix for Servers in order for SUSI to verify multiple minimum security standards. Instructions are in the UIT Cookbooks above.
Security Assessments
If you need to use High Risk Data and store it, first you should complete a Data Risk Assessment (DRA). The first step is the questionaire, which will help the Information Security Office (ISO) and the University Privacy Office (UPO) to determine whether you should proceed to the full Data Risk Assessment. They will help you with the next steps to properly secure your operation so that you can proceed with your necessary work while remaining compliant with security standards. To learn more, go here »