Skip to content. | Skip to navigation

Advanced Search…
Personal tools
You are here: Home Policies and Standards ISO ISO PS013 Server Computing Devices

ISO PS013 Server Computing Devices

Policies and Standards
ISO PS013 Server Computing Devices
[Previous]  [Next]  [Policy Home]

Policy Name: Server Computing Devices
Policy Number: IS PS013
Effective Date: July 23, 2007
Review Date: July 23, 2008
Last Revision Date: July 23, 2007
Last Revision By: Bruce Edwards
Contact Name: Bruce W. Edwards
Contact Email: ISOPolicy@louisville.edu
Approved By: Compliance Oversight Council
Version: 1.0

POLICY:

The University maintains enterprise class secured data centers for the housing of university servers. All servers used to store, process or transmit sensitive information must be registered with the Information Security Office.

All server computing devices must:

  • be maintained in an environment and manner designed to physically and logically restrict access to authorized users;
  • be used in a manner designed to maintain data, system and network integrity; and
  • have operating systems and other software maintained in the most up-to-date and secure manner reasonably possible.

STANDARDS:

Note: These standards apply for servers fully managed by IT as well as those partially or fully managed by other University entities or constituents.

Administrative standards:

Implementation

  • The Dean of each school or administrative Division Head is responsible for server devices administratively within their area, for ensuring the implementation of the Server Computing Device security policies, standards, and procedures including implementing methods to:
    • Educate the school or division server administrators on Server Computing Device security practices.
    • Configure and maintain the school or division servers to meet the Server Computing Device and other applicable standards.

Documentation

  • Procedures for complying with these policies and standards, as well as any additional school or administrative division policies and standards will be developed and maintained by Dean or Division Head's designee for each school, administrative division or other subsidiary unit.
  • All school or division policies, standards and procedures for servers must be well documented, up-to-date and meet or exceed the minimum requirements established in this policy.
  • After review and approval by the Dean or Division Head's designee, documentation of procedures for the school or division is to be forwarded, in electronic format, to the Information Security Office for review and University records. All major updates to the documentation and their effective dates should be forwarded to the Information Security Office.

Compliance

  • Each school or division is expected to ensure compliance with these policies and standards as well as their own policies, standards and procedures.
  • The Information Systems Security Officer will work with Audit Services, IT and others to schedule periodic audits of servers to further ensure compliance with the policies and standards.

Use of Computing Devices

  • Computing devices and access to the network and Internet are provided to perform university functions.

Licensing

  • Licensing documentation must be maintained for software loaded on any servers attached to the University network or otherwise hosted by the University.

Technical and physical standards:

System Maintenance:

  • All server operating systems and other software should be kept up-to-date by reviewing and installing appropriate security updates, patches and tools on a regular schedule but not less than every thirty days.

Physical System Access:

  • All servers must be kept in a secured access controlled environment. Reasonable efforts should be made to limit and/or monitor physical access to servers to authorized personnel. See IS PS009 Data Facility Security.
  • Systems used to store, transmit or access electronic Protected Health Information (ePHI)
    In addition to physical security requirements above, each responsible area must:
    • Implement and maintain physical safeguards to restrict access to only authorized users for all server devices that store, transmit or access ePHI,
    • Define the functions allowed on a server device that stores, transmits or accesses ePHI

Software:

  • Server class operating systems and software must be used for University servers.
  • Non-University IT Division servers must be:
    • approved for the specified use by the School or Division's Dean or Vice President and Technology management,
    • currently supported for security updates, and be
    • in full compliance with all applicable Information Security policies.

Logical System Access and Security:

  • Passwords
    All servers must require entry of a user ID and complex password. See IS PS008 Passwords.
  • Administrator Account, other Privileged Accounts and User Accounts
    Administrator and Privileged Accounts
    • Individuals with server administrative rights must be familiar with and abide by IS PS007 User Accounts and Acceptable Use as well as all technology standards, policies and procedures in using these rights. The default administrator account should be renamed where technically possible.
    • The Administrator or other equivalent accounts must not be used as active user accounts. All accounts with administrative rights should only be used when necessary and must have a complex password.
  • User Accounts
    • Any operating system or enterprise/back office software requiring accounts to be set-up for users must use the least required access approach for configuring user access to these accounts.
  • Activity and Transaction Auditing, Logging and Monitoring
    • User activity within the system should be monitored. Audit and/or transaction logs should be maintained, monitored and/or audited as appropriate for the system. Appropriate auditing, logging and monitoring activity must be defined in the context of applicable laws and regulations as well as reasonable practice to ensure the integrity and security of the system.
    • All servers processing sensitive information should log any transactions or other events that cause the creation, updating/modification or deletion of this type of information.
    • This logging should be done at the server operating system, database and/or application levels, as appropriate, to ensure that these activities are captured.
    • Logs should include as much of the following information as is technically and reasonably possible: Date, time, user ID, transaction/activity type, event type (write, update/modify, delete, read), data changed (data before and after change or data after change) and other information necessary to analyze and/or reconstruct transactions, activity or events.
    • Systems used to store, transmit or access electronic Protected Health Information (ePHI):
      Server devices in this category must enable logging as described above for ePHI data.
  • System Time-Out
    All server authentications or server software accessed by end-users must be configured to lock after a short period of inactivity (10 minutes is the recommended time unless system requirements necessitate a longer time) and require a user ID and password or other authentication mechanism to unlock or reactivate. Automated programs and services should also be configured with an authentication time-out unless this prevents proper functioning of the program or service.
  • Security and integrity of data
    All servers used to store, process or transmit sensitive information must maintain this information in a secure fashion. Encryption of proprietary or sensitive data fields, files or storage partitions or encryption of the entire system storage area is the recommended method to secure this data. If this data is transmitted over any networks other than the University's internal network, the data or the transmission protocol should be encrypted. (See back-up standard below - it is important that all proprietary or sensitive information be backed up to prevent loss in the event of equipment loss or hardware failure).
    • Systems used for electronic Protected Health Information (ePHI):
      Server devices in this category must use encryption as described above unless the device is maintained, used and accessed only in a highly secure access controlled environment.
    • Systems used to store, transmit or access other personally identifiable sensitive information:
      This information includes personally identifiable grades and other enrollment information, salary and other financial information, social security number, addresses, phone numbers as well as other information of a personal nature. Server devices in this category must use encryption as described above unless the device is maintained, used and accessed only in a highly secure, access controlled environment.
  • Wireless Network Access
    All servers must use a hardwired network connection.
  • Protection from Malicious Software:
    All servers must -
    • Run real time virus protection if such software is available for the computing device;
    • Utilize a hardware (preferred) and/or software firewall either for the server or for a dedicated network server subnet;
    • Use spyware protection and detection programs, if available;
    • Have all operating system and software services not required for the proper functioning of the server be disabled or set to manually start if occasionally used.

    See IS PS014 Protection from Malicious Software.

  • Data Backup and Recovery
    • Files containing valuable information1 must be backed up (note that the University network drives may be suitable for many back-ups).
    • Back-ups will be performed on a regular basis.
    • Back-ups will be maintained in a secure environment removed from the physical location of the server.
    • Back-ups should be encrypted and password protected and must be encrypted if custody of the back-ups is entrusted to either a third party (non-UofL personnel) or to personnel outside the University hybrid covered entity in the case of ePHI.
    • Ability to successfully recover back-up files will be tested periodically (at least every 180 days) and at the time of any significant hardware or software updates or changes to the system.

    See IS PS015 Backup and Retention of Data, IS PS002 Business Continuity and Disaster Recovery.

E-Mail, Calendar and Personnel/Group Scheduling Servers - Additional technical standards:

  • Interoperability:
    Systems designed to perform email, calendaring or scheduling must automatically interoperate with the University furnished enterprise solution for these tasks. This includes all University schools, divisions, and other affiliated entities.
    • E-mail must flow in a timely fashion between the systems and remain within the University network while doing so.
    • Calendar and personnel/group scheduling functions must work in both directions so that personnel using the Enterprise system or personnel using a specific School, Administrative Division or other University entity solution are able to transparently review personnel availability, schedule meetings, and related expected functions.

SCOPE / APPLICABILITY:

All persons while conducting/performing work, teaching, research or study activity or otherwise using University resources. Scope/Applicability also includes all facilities, property, data and equipment owned, leased and/or maintained by the University or affiliates.

POLICY AUTHORITY / ENFORCEMENT:

The University's Information Security Officer (ISO) is responsible for the development and oversight of these policies and standards. The ISO works in conjunction with University Leadership, Information Technology, Audit Services and others for development, monitoring and enforcement of these policies and standards.

POLICY REVIEW:

This policy will be reviewed annually to determine if the policy is in compliance with the applicable security regulations and University direction. In the event that significant regulatory changes occur, this policy will be reviewed and updated as needed.

COMPLIANCE:

Failure to comply with these policies and standards and/or any related information security and/or information technology policy, standard or procedure may result in disciplinary action up to and including termination of employment, services or relationship with the University and/or action in accordance with local ordinances, state or federal laws.

REVISION HISTORY:

Version / Revision Date / Description

1.0 / July 23, 2007 / Original Publication

This policy is subject to change or termination by the University at any time. This policy SUPERSEDES all prior policies, procedures or advisories pertaining to the same subject.

Approved July 23, 2007 by the Compliance Oversight Council
Shirley C Willihnganz, Executive Vice President and University Provost, Chair of the Compliance Oversight Council

[Next]

Document Actions

10/27/2008
University of Louisville Selects GuardianEdge to Protect Sensitive Data for Faculty, Staff, Doctors and Researchers

  • GuardianEdge, the leader in enterprise endpoint data protection, today announced that the University of Louisville has selected the GuardianEdge Hard Disk Encryption, Smartphone Protection and Device Control solutions to safeguard data for faculty and staff, doctors and researchers. [Click here for more information]

10/20/08
Fourth Annual Cyber-Security Awareness Week was a BIG Success!

08/25/08
Safe computing starts with knowing the rules of the road (InfoSec Bulletin #7 - August 25, 2008)

08/20/07
Information Security Policies
and Standards Approved: