Policy 7.8 Server Management
SCOPE: FACULTY AND STAFF
1. POLICY STATEMENT
1.1. This policy promotes the appropriate management of LIT servers to achieve consistency, increase availability and security, facilitate disaster-recovery, coordinate technical operations and apply sound information technology management practices consistently throughout LIT.
2.1. LIT Information Technology shall administer all servers with the exception of those described in Section 4 of this policy and those maintained on- or off-site by third party vendors as per contract or agreement.
2.2. Users shall be provided with the minimum amount of access required to perform job duties. Additional privileges may be added with appropriate authorization.
2.3. Security controls must be implemented in such a way as to meet the confidentiality, integrity, and availability requirements of the data stored, processed, and/or transmitted by the platform.
2.4. All servers shall be configured, managed, and monitored as per LIT’s Server Management Standards (Appendix A). This includes those maintained on- or off-site by third party vendors as per contract or agreement. Departmental servers, as described in Section 4, may be excepted from this requirement when used for academic purposes.
2.5. Backup and Recovery
2.5.1. Backups shall be completed regularly based on a risk assessment of the data and services provided. Restoration of software and data from backups should be tested on a regular basis to assure viability in the event of a service disruption. If backup media contains confidential data, the data on the backup media or the media itself must be encrypted.
2.5.2. Physical access to the server and backup media shall be restricted to persons with a legitimate need for such access.
3. SERVERS MAINTAINED BY DEPARTMENTS
3.1. Departments may be authorized to maintain servers, provided they are used solely for teaching purposes. To be considered as a server used for teaching purposes, it must meet one or more of the following criteria:
3.1.1. Embedded servers in technology used by academic and other educational programs.
3.1.2. Servers used by departments solely for the purpose of teaching computing courses.
3.2. No confidential or mission critical information may be stored on departmental servers.
3.3. Departmental servers must run licensed software operating systems and applications.
3.4. Departmental servers found to be taking malicious action against hosts on the institutional network (e.g.; spreading viruses) will be reported to the ISO.
3.4.1. In emergency circumstances, the ISO will attempt to notify the unit head or server administrator whenever it has been determined that a departmental server has become an imminent threat to LIT’s information resources, such as when a server’s integrity is compromised, when it places other network users at risk, or when its defenses against compromise are seriously inadequate for the purpose it serves.
3.4.2. If the ISO cannot contact the unit head or server administrator or the unit head or server administrator does not respond in a timely manner, the ISO is authorized to isolate the offending server from the network until the risk is mitigated.
3.5. LIT Information Technology must be informed of all departmental servers in use.
3.6. Departments will provide the appropriate level of access to LIT Information Technology personnel to allow said personnel to perform security reviews.
4. AUTHORITY AND RESPONSIBILITY
Questions related to this policy should be addressed to the IRM at firstname.lastname@example.org.
Appendix A – Server Management Standards
1. Server administrators shall make every effort to adhere to the latest applicable security configuration benchmarks published by the Center for Internet Security (CIS).
2. Servers shall be located in designated information resources facilities.
3. Prior to being placed on the institutional network, the following tasks shall be performed:
3.1. Unnecessary software, system services, and drivers must be removed.
3.2. Appropriate security features in vendor-supplied systems must be enabled.
3.3. Default passwords must be changed.
3.4. Unnecessary user and support accounts must be disabled.
3.5. Anti-malware software must be installed on susceptible platforms.
4. Vendor-supplied patches must be acquired, tested prior to implementation where practical, and installed promptly based on risk management decisions.
5. Servers shall be tested for known vulnerabilities, including application vulnerabilities, periodically and as needed.
6. A server must not be used for multiple purposes that would put its security or performance at risk.
7. To the extent possible, the system administrator must configure the server operating system and resident applications, if applicable, to display a log-on banner to anyone requesting a connection to the server or application.
8. Access to the server from outside the institutional network should not be provisioned unless absolutely necessary. If remote access is necessary, remote access sessions must be encrypted using SSH, VPN, or similar technologies.
9.1. The server must capture and archive critical user, network, system, and security event logs to enable review of system data for forensic and recovery purposes.
9.2. Server administrators shall review logs for malicious activity on a regular basis and retain them for a period sufficient to address business requirements, document changes to access permissions, and provide an adequate history of transactions for audit requirements. The minimum retention period for server logs is 30 days.
9.3. Based upon risk assessment, server logs should:
9.3.1. Provide the means for authorized personnel to audit and establish individual accountability for any action that can potentially cause access to, generation of, modification of, or result in the release of confidential information.
9.3.2. Maintain audit trails to establish accountability for updates to mission critical information, hardware and software, and automated security or access rules.
9.3.3. Maintain a sufficiently complete history of transactions to permit an audit of the server by logging and tracing the activities of individuals through the system.