Server Security
Getting Started With Server Security
All servers on campus (and the applications they run) must conform to Stanford University's minimum security standards. If you are running a server that is not managed by TDS or UIT, you will need to make sure that you're following Stanford policies about keeping the data properly secured. Alternatively, you may choose to have your server moved to a data center and managed by TDS. Wherever it's physically located, you want to make sure that it's correctly configured for good security, including being put on a protected network.
In the School of Medicine, there are additional requirements for servers:
- All servers with High Risk data must have BigFix for Servers installed and compliance with minsec verified in SUSI
- While not required, we recommend that also moderate and low risk servers provide status to SUSI.
- Externally exposed servers (regardless of the risk level of the data) must have BigFix for Servers and CrowdStrike installed
- Externally exposed servers are also scanned by Shorebreak Security. We use their continuous Lifeguard Service Plan. High and Critical vulnerabilities must be remediated within one day or external access to the server may be removed.
- Linux servers with BigFix must have the linux fixlet installed. [We can deploy this to you or you can submit a ticket?]
SUSI
As part of the School of Medicine Security intitiative, all servers at the School of Medicine must also be entered into SUSI (Stanford University System Inventory). SUSI keeps track of all the servers on campus, automatically verifying several minimum security standards and identifying possible compliance issues. If you are listed as the user or administrator for a server (whether it's located in the Stanford Data Center or not, you must create a record for it in SUSI.
Server Exceptions
If your server cannot meet all of the Minsec standards for technical reasons, you will need to apply for an exception.
For more information, including what kinds of servers might qualify for an exception, visit the UIT site here »
Server Hosting
If you've determined that your server should be located in a data center and want to learn more, visit the Data Center Services page here »
Cookbooks
Minimum Security Standards require a large checklist of tasks to make sure servers are secured properly. (For one, all High Risk Linux servers should install the Linux Fixlet.)
UIT provides a list of cookbooks to simplify the process of securing your servers with Moderate or High Risk Data to the minimum security standards.
The School of Medicine requires servers with High Risk Data to install BigFix for Servers in order for SUSI to verify multiple minimum security standards. Instructions are in the UIT Cookbooks above.
Security Assessments
If you need to use High Risk Data and store it, first you should complete a Data Risk Assessment (DRA). The first step is the questionaire, which will help the Information Security Office (ISO) and the University Privacy Office (UPO) to determine whether you should proceed to the full Data Risk Assessment. They will help you with the next steps to properly secure your operation so that you can proceed with your necessary work while remaining compliant with security standards. To learn more, go here »