Information Technology Standard 06.5.0

Server Management Standard


Date of Current Revision or Creation:ÌýDecember 1, 2019


The purpose of an Information Technology Standard is to specify requirements for compliance with Â鶹´«Ã½ Information Technology policies, other University policies, as well as applicable laws and regulations. Standards may include business principles, best practices, technical standards, migration and implementation strategies, that direct the design, deployment and management of information technology.

Purpose

The purpose of this standard is to define the system inventory requirements used by Â鶹´«Ã½.

Definitions

Change Management System is a process and set of tools by which changes to IT systems are managed, coordinated, approved, communicated and actions logged.

Hardening Guide is a document with detailed procedures for server security. Due to the nature of the sensitive material, access is restricted.

Information Technology Security Program provides a high-level view of the University's security controls and elements used to satisfy the laws and regulations relevant to information security. The Information Security Officer has delegated authority for the selection and implementation of security controls and manages the overall security program.

ITS is the acronym for the official name of Information Technology Services.

Server is a computer system that provides services to other computer systems over a network. Virtual servers are considered servers under the Server Management standard.

System Administrator is the analyst, engineer, or consultant who implements, manages, and/or operates a system or systems at the direction of the System Owner, Data Owner, and/or Data Administrator.

Standards Statement

System Administration

System Administrators must possess fundamental knowledge and/or experience of the principles, practices, and procedures of the systems and platforms they support. Industry or vendor certifications are recommended. System administrators will apply knowledge to ensure that information security risks are managed effectively and should report suspected security incidents to the ISO as soon as they have been identified. For business continuity, at least two people should monitor vendor communication and other notification sources for relevant system information.

Documentation

System configuration documentation is a requirement for all centralized systems. Systems must be operated with the documented configuration and in a manner that provides the best operational performance while applying the greatest information security. Documentation should be current, maintained in a central location and accessible to staff. The level of documentation should be sufficient to:

  • Prevent a dependency on a single key staff member
  • Provide serial numbers or license keys needed for installation and vendor support
  • Test procedures to minimize downtime when changes occur
  • Transmit knowledge to others
  • Provide the most current documentation

System audit logs are configured and their operation verified immediately on initial system setup. Operational audit logs are maintained on a best effort basis equivalent to 120 days. Logs are reviewed by staff and discrepancies are investigated and resolved as necessary. Systems are configured to generate and centrally store all relevant logs off system. Wherever it is possible, controls and activity auditing should be implemented over the use of utility programs that may provide users the ability to override existing system and application controls.

Scheduling Systems Operations

Systems operations and maintenance schedules are planned, authorized, and documented through the Change Management System. System changes should occur within the established standard maintenance window. Changes to operations for mission critical systems are tested in a test environment and approved prior to implementing in production.

Data and Directory Structures

The layout and utilization of data directories and structures is coordinated by IT personnel. This information should be outlined in the system configuration documentation previously noted. Users must adhere to the established structure outlines at all times. During system configuration and as needed thereafter, access restrictions to directories are applied as necessary to restrict unauthorized access. Specific types of auditing may be required based on the type of information on the file system.

Access Control

Access to information and documents is carefully controlled to ensure that only authorized personnel have access to sensitive information. File system permissions are layered with network access permissions so security can be applied to the file system first and the share second. Network access permissions are applied to prevent non-authenticated users from being able to retrieve directory and file information. All systems should have a minimum of two user accounts that are capable of administering the system.

Restarting or Recovering the System

System owners must ensure that adequate back up and system recovery guidelines exist prior to placing a system into production. System administrators are responsible for implementing the direction set by system owners within time and budget.

Updates

Operating system changes (such as service packs, updates, fixes, patches or upgrades) are tested for compatibility and released based on a quarterly schedule determined to be the least disruptive and most effective for the environment. All changes will be coordinated with the System Owners. All servers are required to be configured to utilize centrally managed automatic update services. Application changes (such as updates, fixes, patches or upgrades) are tested for compatibility and deployed based on operational requirements of the System Owner. Vendor recommended updates to software undergo a risk-benefit analysis and are carefully scheduled.

Patches and updates are obtained only from reputable or confirmed sources. Major updates to centralized and/or mission critical systems will undertake a formal project plan and cycle through the Production Change System.

Hardening Operating Systems

Server operating systems are configured to operate only those services required to fulfill the operational requirements of the system. They are initially hardened through the application of the policies established in the Hardening Guide and network scanning. Systems must be initially hardened before they are deployed and are regularly monitored. Hardening standards are established and available to system administrators in the Hardening Guide.

Maintaining Multiple Environments

Servers should be configured to support some combination of development or test environment, a quality assurance or preproduction environment and a production environment depending on the system owner's needs. This practice allows developers greater access and flexibility to a given technology or application environment. The quality assurance or preproduction environment should mimic the production environment as much as possible and adhere to the same standards as the production environment. The production environment is isolated from development and test activities and is managed professionally.

Research Environments

The server recommendations outlined throughout this standard are highly recommended for use in the research environment. Consideration must be given to each individual standard point to determine if it is practical, feasible or financially available to research facilities to implement.

Server Categories

Within the University network, servers are classified and managed differently depending on the business, management, or academic needs and information access and storage requirements. There are different management requirements for each depending on access recovery times and data sensitivity.

Server / Application Security Testing

Systems are scanned with vulnerability assessment tools on initial configuration and on a recurring basis. Any issues identified are documented and resolved in accordance with current security practices. Vulnerability assessments should be performed minimally once per year.

Procedures, Guidelines & Other Related Information

History

December 2006

CIO/ITAC

Created

October 2007

CIO/ITAC

Reaffirmed

October 2008

CIO/ITAC

Reaffirmed

October 2009

CIO/ITAC

Reaffirmed

October 2010

CIO/ITAC

Reaffirmed

October 2011

CIO/ITAC

Reaffirmed

September 2012

CIO/ITAC

Revised

January 2013

IT Policy Office

Updates to Maintain Multiple Environments, Research Environment, and Server Categories.

Numbering revised

November 2016 IT Policy Office Updates to System Administration
December 2019 IT Policy Office Reviewed with minor rewording
Ìý