Best Practices Checklist

This section of the Customer Privileged Access Management (CPAM) server reviews and reports the status of several system settings. Each option displays whether or not the recommended setting has been met. An overall score is assigned based on the number of passing checks.

The administrator is allowed to accept the current score, or fix the settings with a click on the individual checks.

Administrators can also select the individual compliance levels they want their server to comply to, between different compliance regulations in the System Settings page. These recommendations up to date with the latest legislation.

The available checklists are:

  • HIPAA: Health Insurance Portability and Accountability Act
    Learn more about HIPAA.

  • PCI: Payment Card Industry
    Learn more about PCI.

  • NERC: North American Electric Reliability Corporation
    Learn more about NERC.

  • CJIS: Criminal Justice Information Services (FBI)
    Learn more about CJIS.

Best Practices Reference

The Best Practices Checklist page contains the Report Summary Score and the Best Practices Checklist.

The Report Summary Score increases or decreases depending on your configuration's compliance with Best Practices you selected in the System Settings. The Best Practices Checklist details your current settings compared to the Best Practices you selected in the System Settings.

To improve the score, a System Administrator can click on the Fix link to any changes. The Report Summary Score updates accordingly.

When a server setting change lowers the score, the system sends notifications and emails about the changes to the Administrator Notification List set in the System Settings.

Additionally, the system displays the following message at the top of the interface when the score drops below 76 points:

There are configuration warnings that need your attention. Please click here to review them

The following table describes what each line in the Best Practices Checklist refers to.

Category Check Description
Architecture Redundant SMTP CPAM uses SMTP to send emails under a number of circumstances and recommends having a backup mail server. Up to two backup mail servers can be added.
Redundant Gateways CPAM supports fully redundant high availability, pooled, and failover gateway deployments. Pooled gateways introduce a number of benefits to your deployment, including both load-balancing and redundancy. Pooled gateways synchronize applications between multiple gateways, load balance connections, and reduce resource usage on individual gateways servers. A failover gateway will automatically take over in the event of a disaster or loss of connectivity, with no manual migration required.
Version Stable CPAM version (9 months or newer). Read our Release Notes to discover the latest versions of CPAM.
SSL Certificate Expiration SSL Certification Expiration date is provided here to help customers prepare to update the SSL Certificate.
Notification List Anyone on this list will be notified when changes are made in the UI that may decrease your Best Practices score. Read System Messages for more information.
Client Anti-virus Health

Checks the status of the installed Anti-Virus software on the user's Windows desktop. The Connection Manager can check the status of the Security Health Provider (anti-virus) and decide whether or not to allow the connection based on the reported status.

Configure this option by contacting your Support agent.
Disaster Recovery Ensures that in the event of a full site failure, SecureLink can still operate by leveraging the backup node.
Identification Internal Employment Verification Email verification is enabled for all internal users.

Authentication

 Important: If you are using the Active Directory or SAML integration, the password settings apply only to external users (vendor representatives, or other users with local authentication).
Password Length Ten (10) or more characters are recommended for password length.
Password Character Set Three (3) or more sets of alpha, ALPHA, numeric, and symbols are recommended
Password Dictionary Set This is tied to "Ban frequently used passwords" under Password Settings. CJIS requires that passwords are not dictionary words. Enabling this setting will prevent a user from creating a password that is just a single dictionary word.
Password Expiration Set the password expiration policy. 90 days or less is recommended.
Password history restriction Set a number of last passwords that are allowed. Restricting the last ten (10) password entries is recommended.
Two-Factor for Internal Users Enforce email verification or Mobile Authentication.
Authorization Minimum Access Windows This field will be flagged if any applications are permanently enabled with no end date or access schedule being utilized. Using access expiration or an access schedule for applications is recommended.
Inactive Accounts Expiration Disable inactive users after 90 days (both AD and local accounts).
Session Expiration An auto-logout is set after a configurable amount of idle time.
Inactive Applications Disable inactive applications (not connected to in 180 days or more) that currently do not have an access expiration.
Configuration Support Contact Information Provide support contact information under System Messages.