University of Minnesota Duluth
 
 
Search | People | Departments
Information Technology Systems and Services.
ITSS home

Procedures for UMD Server Management - DRAFT

The purpose of these procedures is to describe special requirements for server management that apply on the UMD campus.

All server administrators must comply with the University of Minnesota Security Policies and Information Security Standards. UMD Information Technology Systems and Services (ITSS) will provide oversight and assistance for the entire campus.

In the event that it is impossible for some policy or standard to be implemented, the system administrator must request a risk assessment from University Information Security, who will document the exception.

Data Security Classification

Procedures for managing servers will vary depending upon the classification of the data stored on the server. Server administrators should review the Policy on Data Security Classification as well as the accompanying Appendix on Identifying Security Level.

Servers that store private highly-restricted data must be given extra security, and system administrators of such systems must work closely with ITSS to ensure this. Special requirements for such servers are spelled out in the sections below.

Account Provisioning

System administrators must ensure that their systems comply with the Account Provisioning Standard. ITSS will provide an account provisioning procedure that system administrators outside of ITSS are welcome to use. Systems that store private highly-restricted data must use the ITSS procedures.

Authentication

All servers must comply with the authentication requirements outlined in Basic Security for Computers and Other Electronic Devices, a set of procedures associated with the Policy on Securing Private Data, Computers, and Other Electronic Devices.

Backups

Servers must be backed up according to See also the Backups section of Advanced Security for Computers and Other Electronic Devices, a set of procedures associated with the Policy on Securing Private Data, Computers, and Other Electronic Devices. An Information Security Standard on backups is in development.

Change Control

Servers must comply with the Change Control for Software Development and System Implementation section of Advanced Security for Computers and Other Electronic Devices, a set of procedures associated with the Policy on Securing Private Data, Computers, and Other Electronic Devices. ITSS has developed a set of change processes and a Change Advisory Board, in which system administrators outside ITSS are welcome to participate. Administrators for servers that store private highly-restricted data must participate in the UMD Change Advisory Board processes.

Configuration

All servers must comply with the Server Configuration requirements outlined in Advanced Security for Computers and Other Electronic Devices, a set of procedures associated with the Policy on Securing Private Data, Computers, and Other Electronic Devices. An Information Security Standard on patching is in development.

ITSS offers server administration services to the campus. In particular, ITSS strongly recommends using our virtual server infrastructure to improve backup, disaster recovery, and system administration. By contracting with ITSS to provide these services, units pass the responsibility for most aspects of these procedures to ITSS.

Firewalls

Servers must employ both device and network firewalls. ITSS will provide specialized network firewalls for servers that store private highly-restricted data or for other servers upon request.

Log Management

System administrators are responsible for ensuring that all servers under their control comply with the Log Management Standard. ITSS has a secure logging server where your logs may be stored upon request.

Servers that store private highly-restricted data, particularly data covered by Payment Card Industry-Data Security Standard (PCI-DSS), must be registered to use the University Information Security log monitoring service. ITSS can help facilitate this.

Media Sanitization

Server storage must follow the Media Sanitization Standard before it can be recycled, sold, returned to the vendor, or leave the campus. See also the Secure Data Deletion and Secure Disposal of Equipment section of Advanced Security for Computers and Other Electronic Devices, a set of procedures associated with the Policy on Securing Private Data, Computers, and Other Electronic Devices.

ITSS can sanitize and dispose of server storage for UMD units. Server storage that holds private highly-restricted data must be disposed of through ITSS.

Operating System Access Control

Servers must be configured to meet the Operating System Access Control Standard. ITSS will provide an operating system access control procedure that system administrators outside of ITSS are welcome to use. Servers that store private highly-restricted data must use the ITSS procedures.

Physical Security for Servers

Servers must be in an appropriate and secure physical facility. ITSS will provide housing for servers in the ITSS data center or in a secure server room. Servers that store private highly-restricted data must be located in a secure physical facility managed by ITSS. Servers must also be compliant with the Physical Security for Servers Standard.

Server Registration and Monitoring

UMD ITSS is responsible for maintaining a list of all campus servers, whether administered by ITSS or not. In order to facilitate the maintenance of this list, system administrators must register their servers with ITSS. Use our Server Registration and Monitoring process.

Technical Vulnerability Management

All servers must comply with the Technial Vulnerability Management Standard. This standard includes the requirement that servers be scanned for vulnerabilities. ITSS manages the server scanning process for the campus. In order for us to do this effectively, it is imperative that servers be registered as described in the previous section, especially servers that store private highly-restricted data. Servers covered by Payment Card Industry-Data Security Standard (PCI-DSS) must be scanned by an external scan vendor as well. ITSS will help facilitate this.

Virus/Malware Protection

All servers must comply with the Virus/Malware Protection Standard by ensuring that anti-virus software is installed and running. Servers that store private highly-restricted data must have anti-virus logs managed as well.

Resources

Securing Private Data, Computers, and Other Electronic Devices

Data Security Classification

Identifying Security Level

Security Policies

Information Security Standards

 

 

 


© 2014 University of Minnesota Duluth
The University of Minnesota is an equal opportunity educator and employer.
Last modified on 04/23/14 03:03 PM
University of Minnesota Campuses
Crookston | Duluth | Morris
Rochester | Twin Cities | Other Locations