Body
PURPOSE
The purpose of this policy is to establish the framework to protect Sam Houston State University (SHSU) servers against unauthorized access, disclosure, modification, or destruction and to assure the availability, integrity, authenticity, and confidentiality of information. A server is defined as a computer system dedicated to providing services, as a host, to serve the needs of the users of other computers on the network.
This policy establishes standards for the base configuration of server equipment (physical or virtual devices), licensing, unnecessary services, default passwords, and disconnection/isolation of threatening servers that are owned and/or operated by SHSU.
SCOPE
The SHSU Server Administration policy applies to all personnel and departments that utilize any servers or information technology resources that are owned or managed by SHSU.
POLICY STATEMENT
All personnel and departments utilizing SHSU-owned or managed servers will comply with the procedures required in this and related SHSU policies, Texas State University System (TSUS) Rules and Regulations, and other state and federal guidelines and requirements.
PROCEDURES:
- Server and storage information systems configuration standards and procedures are established and maintained by IT Systems and Operations and approved by the Information Security Officer (ISO).
- All server and storage information systems must be in physically secure locations and must be safeguarded in compliance with the IT Physical Access & Environmental Policy (IT-25). Servers are specifically prohibited from operating from uncontrolled cubicle and office areas.
- All server and storage information systems that connect to the SHSU network must be installed, configured, and managed by IT Systems and Operations.
- All server and storage information systems must be configured to the following minimum specifications:
- Install an appropriately licensed server operating system and antivirus protection software.
- Make every effort to adhere to the latest applicable security configuration benchmarks published by the Center for Internet Security (CIS).
- Disable all default accounts except those required to provide necessary services.
- Install the most recent security patches as soon as practical according to Change Management Policy (IT-09).
- Disable all services and applications that are not required for the server to meet its mission (e.g., Telnet, FTP, DNS, DHCP and SMTP on a file server).
- Include the use of standard security principles of least-required access to perform a function (e.g., do not use root access when a non-privileged account will do).
- Install appropriately licensed software required by the Data Owner or Application Administrator.
- If a methodology for secure channel connection is necessary, privileged access must be performed over secure channels, (e.g., encrypted network connections using SSH or IPSec).
- Servers must have the necessary vulnerability scans performed before providing service to the campus or internet. Any serious vulnerability must be corrected before being placed into production.
- Those servers that house confidential university data, or that provide access to it, may be required to meet additional requirements as defined by the appropriate data owner.
- An SHSU device registry is maintained by IT to facilitate compliance with security policies and procedures and assist in diagnosing, locating, and mitigating security incidents on the university network.
- Servers that attach to the SHSU network must be registered by IT and approved by the ISO.
- Registration must include contact(s) and location, hardware and operating system/version, main function(s) of the server, associated applications, and demonstrated compliance.
- The ISO will require the update of registry information in conjunction with the annual information security risk assessment process.
- Information system owners and custodians must:
- Enforce the application's usage policies, implement the application-specified access controls, and configure and maintain the server’s application according to the required standards.
- Include the use of standard security principles of least-required access to perform a function (e.g., do not grant an administrative account access to the application when a non-privileged account will do).
- Backups should be completed regularly based on a risk assessment of the data and services provided and must comply with the Data Backup Policy (IT-11).
- The ISOIT will disconnect a server or storage information system posing an immediate threat to the SHSU network to isolate the intrusion or problem and minimize risks.
- This can be done without contacting the owner or custodian if circumstances warrant.
- The server or storage information system will remain disconnected until it is brought back into compliance or is no longer a threat.
- SHSU cooperates fully with federal, state, and local law enforcement authorities in the conduct of criminal investigations and will file criminal complaints against users who access or utilize the network to conduct a criminal act.
- In accordance with the SHSU Security Incident Response Standard/Plan, incident response best practices must be followed to assure appropriate preservation and treatment of forensic data.
- If available, the following logs and audit trails pertaining to security-related events on critical or sensitive systems shall be maintained:
- Operating System Events
- start up and shut down of the system
- start up and shut down of a service
- network connection changes or failures
- changes to, or attempts to change, system security settings and controls
- Operating System Audit Records
- log on attempts (successful or unsuccessful)
- the function(s) performed after logged on (e.g., reading or updating critical file, software installation)
- account changes (e.g., account creation and deletion, account privilege assignment)
- successful/failed use of privileged accounts
- Application Account Information
- successful and failed application authentication attempts
- application account changes (e.g., account creation and deletion, account privilege assignment)
- use of application privileges
- Application operations
- application startup and shutdown
- application failures
- major application configuration changes
- application transactions, for example,
- e-mail servers recording the sender, recipients, subject name, and attachment names for each e-mail
- Web servers recording each URL requested and the type of response provided by the server
- business applications recording which financial records were accessed by each user
- The details logged for each event may vary widely, but at minimum each event should capture
- timestamp
- event, status, and/or error codes
- service/command/application name
- user or system account associated with an event
- Device used (e.g., source and destination IPs, terminal session ID, web browser, etc.)
- The ISO will:
- Perform periodic reviews to assure compliance with this policy.
- Notify the Information Resources Manager (IRM) of identified concerns and risks.
- Exceptions to the Server Administration Policy must be submitted in writing and approved by the ISO. Requests shall be justified, documented, and communicated as part of the risk assessment process.
REFERENCE
There are many individual laws, regulations, and policies that establish our information security requirements. While it is not possible to list all potentially applicable laws and regulations, the most relevant are listed in the TSUS Rules and Regulations, Rule III Paragraph 19 and associated TSUS IT Policies.
Version: 1.02
Approved By: President’s Cabinet, May 2, 2023
Reviewed By: Heather Thielemann, Information Resources Manager, May, 2023
Next Review: May 2024