University of Minnesota Duluth
 
 
Search | People | Departments
Information Technology Systems and Services.
ITSS home

Procedures for UMD Server Management

May 20, 2014

The purpose of these procedures is to describe special requirements for server management that apply on the UMD campus.

All server administrators must comply with the University of Minnesota Security Policies and Information Security Standards. UMD Information Technology Systems and Services (ITSS) will provide oversight and assistance for the entire campus.

In the event that it is impossible for some policy or standard to be implemented, the system administrator must request a risk assessment from University Information Security, who will document the exception. ITSS will ensure that such a risk assessment is completed and will monitor for compliance.

Data Security Classification

The first thing a system administrator must do is to review the types of data stored on each server administrated.

Procedures for managing servers will vary depending upon the classification of the data stored on the server. Server administrators must review the Policy on Data Security Classification as well as the accompanying Appendix on Identifying Security Level.

Servers that store private highly-restricted data must be given extra security, and system administrators of such systems must work closely with ITSS to ensure this. Special requirements for such servers are spelled out in the sections below.

Account Provisioning

System administrators must ensure that their systems comply with the Account Provisioning Standard. ITSS will provide an account provisioning procedure that system administrators outside of ITSS are welcome to use. Systems that store private highly-restricted data must use the ITSS procedures.

Authentication

All servers must comply with the authentication requirements outlined in Basic Security for Computers and Other Electronic Devices, a set of procedures associated with the Policy on Securing Private Data, Computers, and Other Electronic Devices.

System administrators are strongly encouraged to use centralized Identity Management Services whenever possible. At present the preferred central authentication tool is Shibboleth.

Backups

Servers must be backed up according to the Backups section of Enhanced Security for Computers and Other Electronic Devices, a set of procedures associated with the Policy on Securing Private Data, Computers, and Other Electronic Devices. An Information Security Standard on backups is in development.

ITSS will provide backup at no charge for servers that we manage. Administrators who manage their own servers may contract with ITSS for backup services on a billable basis. Administrators of servers that store private highly-restricted data must partner with ITSS to ensure compliance

Change Control

Servers must comply with the Change Control for Software Development and System Implementation section of Enhanced Security for Computers and Other Electronic Devices, a set of procedures associated with the Policy on Securing Private Data, Computers, and Other Electronic Devices.

ITSS has developed a set of change processes and a UMD Change Approval Board, in which system administrators outside ITSS are welcome to participate. Administrators for servers that store private highly-restricted data must participate in the UMD Change Approval Board processes.

Configuration

All servers must comply with the Server Configuration requirements outlined in Enhanced Security for Computers and Other Electronic Devices, a set of procedures associated with the Policy on Securing Private Data, Computers, and Other Electronic Devices. An Information Security Standard on patching is in development.

ITSS offers server administration services to the campus. In particular, ITSS strongly recommends using our virtual server infrastructure to improve backup, disaster recovery, and system administration. By contracting with ITSS to provide these services, units pass the responsibility for most aspects of these procedures to ITSS.

Firewalls

Servers must employ device firewalls and in some instances network firewalls that meet the device firewalls and network firewall standards.

ITSS will provide specialized network firewalls for servers that store private highly-restricted data or for other servers based on need.

Log Management

System administrators are responsible for ensuring that all servers under their control comply with the Log Management Standard. ITSS has a secure logging server where your logs may be stored upon request.

Servers that store private highly-restricted data, particularly data covered by Payment Card Industry-Data Security Standard (PCI-DSS), must be registered to use the University Information Security log monitoring service. ITSS can help facilitate this.

Media Sanitization

Server storage must follow the Media Sanitization Standard before it can be recycled, sold, returned to the vendor, or leave the campus. See also the Secure Data Deletion and Secure Disposal of Equipment section of Enhanced Security for Computers and Other Electronic Devices, a set of procedures associated with the Policy on Securing Private Data, Computers, and Other Electronic Devices.

ITSS can sanitize and dispose of server storage for UMD units. Server storage that holds private highly-restricted data must be disposed of through ITSS.

Operating System Access Control

Servers must be configured to meet the Operating System Access Control Standard. Servers provided by ITSS meet this standard. Servers that store private highly-restricted data must partner with ITSS to ensure compliance.

Physical Security for Servers

Servers must be in an appropriate and secure physical facility. ITSS will provide housing for servers in the ITSS data center or in a secure server room. Servers that store private highly-restricted data must be located in a secure physical facility managed by ITSS. Servers must also be compliant with the Physical Security for Servers Standard.

Server Registration, Inventory, and Deregistration

UMD ITSS is responsible for maintaining a list of all campus servers, whether administered by ITSS or not. In order to facilitate the maintenance of this list, all system administrators must register their servers with ITSS. Use our Server Registration, Inventory, and Deregistration process.

Technical Vulnerability Management

All servers must comply with the Technical Vulnerability Management Standard. This standard includes the requirement that servers be scanned for vulnerabilities.

ITSS manages the server scanning process for the campus. In order for us to do this effectively, it is imperative that servers be registered as described in the previous section, especially servers that store private highly-restricted data. Servers covered by Payment Card Industry-Data Security Standard (PCI-DSS) must be scanned by an external scan vendor as well. ITSS will help facilitate this.

Virus/Malware Protection

All servers must comply with the Virus/Malware Protection Standard by ensuring that anti-virus software is installed and running. Servers that store private highly-restricted data must have anti-virus logs managed as well.

Resources

Securing Private Data, Computers, and Other Electronic Devices

Data Security Classification

Identifying Security Level

Security Policies

Information Security Standards

 

 

 


© 2014 University of Minnesota Duluth
The University of Minnesota is an equal opportunity educator and employer.
Last modified on 05/20/14 10:56 AM
University of Minnesota Campuses
Crookston | Duluth | Morris
Rochester | Twin Cities | Other Locations