Server Administration Policy: IO

PURPOSE:

The purpose of this policy is to establish the framework to protect SPC servers against unauthorized access, disclosure, modification or destruction and to assure the availability, integrity, authenticity, and confidentiality of information. A server is defined as a computer system dedicated to providing services, as a host, to serve the needs of the users of other computers on the network.

 

This policy establishes standards for the base configuration of server equipment (physical or virtual devices), licensing, unnecessary services, default passwords, and disconnection/isolation of threatening servers that are owned and/or operated by SPC.

 

SCOPE:

The SPC Server Administration policy applies to any servers that are owned or managed by SPC.

 

POLICY STATEMENT:

All SPC owned or managed servers will comply with the requirements outlined in this and related SPC policies, TAC§202 (Subchapter C) and other state and federal guidelines and requirements.

 

  1. Server configuration standards and procedures are established and maintained by the Director of IT Operations and approved by the Information Security Officer (ISO).
  2. The Information Resources Manager (IRM) is ultimately responsible for the management of SPC information technology resources.
  3. All servers must be in physically secure locations and must be safeguarded in compliance with the IT Physical Access & Environmental Policy (IZ). Servers are specifically prohibited from operating from uncontrolled cubicle and office areas. 
  1. All servers that connect to the SPC network must be installed, configured and managed by the SPC-IS Server Management Team. 
  1. The SPC-IS Server Management Team must:
    1. Install and configure servers according to the Director of IT Operation’s standard build documents and procedures, to include (but not limited to):
    2. Install an appropriately licensed server operating system and antivirus protection software.
    3. Make every effort to adhere to the latest applicable security configuration benchmarks published by the Center for Internet Security (CIS).
    4. Disable all default accounts except those required to provide necessary services.
    5. Install the most recent security patches as soon as practical according to Change Management Policy (IJ).
    6. Disable all services and applications that are not required for the server to meet its mission (e.g., Telnet, FTP, DNS, DHCP and SMTP on a file server).
    7. Include the use of standard security principles of least-required access to perform a function (e.g., do not use root access when a non- privileged account will do).
  1. Install appropriately licensed software required by the Data Owner or Application Administrator.
    1. Disable all application default accounts except those required to provide necessary services.
    2. Change the application default passwords for all enabled accounts to one consistent with SPC User Accounts Password Policy (IB).
  2. If a methodology for secure channel connection is necessary, privileged access must be performed over secure channels, (e.g., encrypted network connections using SSH or IPSec).
  3. Servers must have the necessary vulnerability scans performed before providing service to the campus or internet. Any serious vulnerability must be corrected before being placed into production.
  4. Those servers that house confidential College data, or that provide access to it, may be required to meet additional requirements as defined by the appropriate data owner.
  5. An SPC device registry is maintained by SPC-IS to facilitate compliance with security policies and procedures and assist in diagnosing, locating and mitigating security incidents on the College network.
    1. Servers that attach to the SPC network must be registered by SPC-IS and approved by the ISO.
    2. Registration must include contact(s) and location, hardware and operating system/version, main function(s) of the server, associated applications, and demonstrated compliance with the required SPC policies, TAC§202 (Subchapter C) and other state and federal requirements.
  • The ISO will require the update of registry information in conjunction with the annual information security risk assessment process. 
  1. Application Administrators must:
    1. Enforce the application's usage policies, implement the application-specified access controls, and configure and maintain the server’s application according to the required standards.
    2. Include the use of standard security principles of least-required access to perform a function (e.g., do not grant an administrative account access to the application when a non-privileged account will do). 
  1. Backups should be completed regularly based on a risk assessment of the data and services provided and must comply with the Data Backup Policy (IL). 
  1. SPC-IS Security or Server Management Team will disconnect a server posing an immediate threat to the SPC network in order to isolate the intrusion or problem and minimize risks.
    1. This can be done without contacting the owner or application administrator if circumstances warrant.
    2. The server will remain disconnected until it is brought back into compliance or is no longer a threat.
  2.  SPC cooperates fully with federal, state, and local law enforcement authorities in the conduct of criminal investigations and will file criminal complaints against users who access or utilize the network to conduct a criminal act. 
    1. In accordance with the SPC Security Incident Response Plan, incident response best practices must be followed to assure appropriate preservation and treatment of forensic data.
    2. All logs and audit trails pertaining to security-related events on critical or sensitive systems will be managed according to the SPC Incident Response Plan.
    3. The ISO will:
      1. Perform periodic reviews to assure compliance with this policy.
      2. Notify the Information Resources Manager (IRM) of identified concerns and risks. 
  1. Exceptions to the Server Administration Policy must be submitted in writing and approved by the ISO. Requests shall be justified, documented, and communicated as part of the risk assessment process.

 

Related Policies, References and Attachments:

An index of approved SPC-IS policies can be found on the SPC Policies website at https://www.southplainscollege.edu/human_resources/policy_procedure/?%20.  The SPC Information Security Program and SPC Information Security User Guide are also available on the Information Technology Services Policies website.

DIR Security Controls Catalog Control Group: CA-1, CP-1

 

Approved by:  Executive Council, April 4, 2019

Next Review: October 1, 2020