UPPS No. 04.01.09
Issue No. 3
Effective Date: 12/19/2014
Next Review Date: 11/01/2017 (E3Y)
Sr. Reviewer: Associate Vice President for Technology Resources
UPPS No. 04.01.01, Security of Texas State Information Resources
UPPS No. 04.01.05, Network Use Policy
Device Registry - a database of university network devices maintained by IT Security to assist with incident response and alerts. This registry includes information about the device such as device name, function, operating system, and primary and secondary contact information.
Penetration Test - a penetration test that evaluates the security of a computer system or network by simulating an attack from a malicious source. The process involves an active analysis of the system for vulnerabilities that may result from poor or improper system configuration, known or unknown hardware or software flaws, or operational weaknesses in process or technical countermeasures. This analysis is carried out from the position of a potential attacker, and can involve active exploitation of security vulnerabilities. The intent of a penetration test is to determine the feasibility of an attack and the potential impact of a successful exploit, if discovered.
Server - a physical or virtual device that provides a specific type of service on behalf of another computer or computer user (i.e., a client). Examples include a file server that stores and manages access to files, a Web server that facilitates access to websites and pages, and a name server that maps user and computer names to machine and network addresses.
Server Administrator - an individual designated by the server owner as principally responsible for performing server management functions, including the installation, configuration, security, ongoing maintenance, and registration of the server.
Server Management - functions associated with the oversight of server operations. These include controlling user access, establishing and maintaining security measures, monitoring server configuration and performance, and risk assessment and mitigation.
Server Owner - the department or unit head charged with overall responsibility for the server asset in the university’s inventory records.
Vulnerability Patch - an update provided by a vendor to correct a flaw or weakness in a component’s design, implementation, or operation and management that could be exploited to violate the component’s security or integrity. All software and hardware are subject to vulnerability and firmware patches.
Vulnerability Scan - a procedure that proactively identifies the vulnerabilities of a networked computing system to determine if and where that system is vulnerable to exploitation or threat. Vulnerability scanning employs software that seeks out security flaws based on a database of known flaws, tests the system for these flaws, and reports the findings to improve the security of the system and the network to which the system is connected.
Before connecting to the Texas State university network, servers must comply with the general requirements outlined in this policy, as well as all of the following:
UPPS No. 04.01.05, Network Use Policy (specifically Section 04. describing the requirements for devices connecting to the university network);
Texas State’s Server Management Technical and Security Standards and Procedures; and
Contact the Information Technology Assistance Center (ITAC) at 512-245-ITAC (4822), or IT Security at 512-245-HACK (4225), with questions about the guidance provided in these documents.
Server administrators shall also make every effort to adhere to the latest applicable Security Configuration Benchmarks published by the Center for Internet Security (CIS). CIS Benchmarks are provided for a wide array of operating systems, application software, and multiple versions thereof. CIS Benchmarks are defined via consensus among security professionals worldwide and used by thousands of enterprises as their de facto local configuration standards. Contact Texas State’s IT Security team (firstname.lastname@example.org) for assistance in utilizing these benchmarks.
IT Security maintains a device registry to facilitate compliance with security policies and procedures and assist in diagnosing, locating and mitigating security incidents on the university network. Server owners must register their servers in this registry and maintain the accuracy of their servers’ registry information. IT Security will require the update of registry information in conjunction with the annual information security risk assessment process.
The server owner is responsible for the management, operation, and security of the server. At a minimum, the owner must assure the following:
the server is registered in the device registry described above;
physical and network access to the server is properly controlled; and
the server’s operational configuration is maintained within the security and operational parameters described in this policy.
The owner may delegate specific server management responsibilities to a server administrator to achieve these objectives, but the server owner retains ultimate responsibility.
Before purchasing any equipment for use as a server, departments should contact ITAC to explore alternatives for centrally hosting the desired services. If adequate resources do not already exist, Technology Resources will assist the department in configuring a server adequate to address the requirements.
System owners and administrators shall adhere to the provisions of Section 04.10 of UPPS No. 04.01.01, Security of Texas State Information Resources, when transferring, repurposing, destroying, or otherwise disposing of their server.
System administrators must subscribe to vendor notification and automated update services appropriate to the software hosted on their servers. System administrators may be required to subscribe to university-provided notification and update services (or equivalent) as those services become available (e.g., SCCM - System Center Configuration Manager).
It is not possible for this policy to address every specific issue regarding server management at Texas State that may arise. Server owners and administrators are expected and encouraged to seek guidance from ITAC, which will involve other components of the IT division as necessary to meet these responsibilities.
Exceptions to this policy require collaboration with Technology Resources and express permission from the associate vice president for Technology Resources or a designee.
PROCEDURES FOR RESPONSE TO THREATS AND POLICY VIOLATIONS
Texas State’s IT Security team employs a variety of techniques and technologies, including regular network vulnerability scans and penetration tests, to identify potential risks to campus information resources and to monitor compliance with this policy. IT Security will notify the registered server administrator of any protection deficiencies discovered in the course of these activities and recommend options for eliminating the deficiencies. If the deficiencies are not corrected or the server remains out of compliance for three or more calendar days following notification, IT Security may, with the concurrence of the information security officer or the associate vice president for Technology Resources, disable the server’s connection to the university network until the deficiency is remedied.
In emergency circumstances, IT Security will attempt to notify the server owner or administrator whenever it determines that a server has become an imminent threat to university information resources, such as when a server’s integrity is compromised, when it places other network users at risk, or when its defenses against compromise are seriously inadequate for the purpose it serves. If Technology Resources or IT Security cannot contact the server administrator or the administrator does not respond in a timely manner, IT Security may isolate the offending server from the network until the risk is mitigated. If the threat results in the inappropriate disclosure of sensitive or restricted and confidential information, IT Security will initiate the incident management procedures in Section 10. of UPPS No. 04.01.01, Security of Texas State Information Resources.
REVIEWERS OF THIS UPPS
Reviewers of this UPPS include the following:
|Associate Vice President for Technology Resources||November 1 E3Y|
|Special Assistant to the Vice President for Information Technology||November 1 E3Y|
|Information Security Officer||November 1 E3Y|
|Director, Core Systems||November 1 E3Y|
This UPPS has been approved by the following individuals in their official capacities and represents Texas State policy and procedure from the date of this document until superseded.
Associate Vice President for Technology Resources; senior reviewer of this UPPS
Vice President for Information Technology