UPPS 04.01.09 - Server Management Policy
Server Management Policy
UPPS No. 04.01.09
Issue No. 5
Effective Date: 11/21/2019
Next Review Date: 6/01/2022 (E3Y)
Sr. Reviewer: Associate Vice President for Technology Resources
- This policy promotes the appropriate management of university servers to achieve consistency, increase availability and security, facilitate disaster-recovery, coordinate technical operations and apply sound information technology (IT) management practices consistently throughout Texas State University.
Application Administrator – the designated administrator of a hosted service. This person is the responsible party for the operation of the application.
Device Registry – a database of university network devices maintained by Information Security to assist with incident response and alerts. This registry includes information about the device such as device name, function, operating system, and primary and secondary contact information.
Hosted Service – a service hosted by Technology Resources either in the Texas State datacenter or in a cloud environment.
Penetration Test – evaluates the security of a computer system or network by simulating an attack from a malicious source. The process involves an active analysis of the system for vulnerabilities that may result from poor or improper system configuration, known or unknown hardware or software flaws, or operational weaknesses in process or technical countermeasures. This analysis is carried out from the position of a potential attacker and can involve active exploitation of security vulnerabilities. The intent of a penetration test is to determine the feasibility of an attack and the potential impact of a successful exploit, if discovered.
Server – a physical or virtual device that provides a specific type of service on behalf of another computer or computer user (i.e., a client). Examples include a file server that stores and manages access to files, a web server that facilitates access to websites and pages, and a name server that maps user and computer names to machine and network addresses.
Server Administrator – an individual designated by the server owner as principally responsible for performing server management functions, including the installation, configuration, security, ongoing maintenance, and registration of the server.
Server Management – functions associated with the oversight of server operations. These include controlling user access, establishing and maintaining security measures, monitoring server configuration and performance, and risk assessment and mitigation.
Server Owner – the department or unit head charged with overall responsibility for the server asset in the university’s inventory records.
Vulnerability Patch – an update provided by a vendor to correct a flaw or weakness in a component’s design, implementation, or operation and management that could be exploited to violate the component’s security or integrity. All software and hardware are subject to vulnerability and firmware patches.
Vulnerability Scan – a procedure that proactively identifies the vulnerabilities of a networked computing system to determine if and where that system is vulnerable to exploitation or threat. Vulnerability scanning employs software that seeks out security flaws based on a database of known flaws, tests the system for these flaws, and reports the findings to improve the security of the system and the network to which the system is connected.
Before connecting to the Texas State university network, servers must comply with the general requirements outlined in this policy, as well as all of the following:
UPPS No. 04.01.05, Network Use Policy (specifically, Section 04. describing the requirements for devices connecting to the university network);
Texas State’s Server Management Technical and Security Standards and Procedures; and
Contact the IT Assistance Center (ITAC) at 512. 245.ITAC (4822), or Information Security at 512. 245.HACK (4225), with questions about the guidance provided in these documents.
Server administrators shall also make every effort to adhere to the latest applicable Security Configuration Benchmarks published by the Center for Internet Security (CIS). CIS Benchmarks are provided for a wide array of operating systems, application software, and multiple versions thereof. CIS Benchmarks are defined via consensus among security professionals worldwide and used by thousands of enterprises as their de facto local configuration standards. Contact Texas State’s Information Security team (email@example.com) for assistance in utilizing these benchmarks.
Information Security maintains a device registry to facilitate compliance with security policies and procedures and assist in diagnosing, locating, and mitigating security incidents on the university network. Server owners must register their servers in this registry and maintain the accuracy of their servers’ registry information. Information Security will require the update of registry information in conjunction with the annual information security risk assessment process.
The server owner is responsible for the management, operation, and security of the server. At a minimum, the owner must assure the following:
the server is registered in the device registry described in Section 04.03;
physical and network access to the server is properly controlled; and
the server’s operational configuration is maintained within the security and operational parameters described in this policy.
The owner may delegate specific server management responsibilities to a server administrator to achieve these objectives, but the server owner retains ultimate responsibility.
Before purchasing any equipment for use as a server, departments should contact ITAC to explore alternatives for centrally hosting the desired services. If adequate resources do not already exist, Technology Resources will assist the department in configuring a server adequate to address the requirements.
System owners and administrators shall adhere to the provisions of Section 02.10 of UPPS No. 04.01.11, Risk Management of Information Resources, when transferring, repurposing, destroying, or otherwise disposing of their server.
System administrators must subscribe to vendor notification and automated update services appropriate to the software hosted on their servers. System administrators may be required to subscribe to university-provided notification and update services (or equivalent) as those services become available (e.g., System Center Configuration Manager-- SCCM).
Hosted services are provided by Technology Resources after a review by the Information Security Office and must have a data security plan in place before any services will be provided.
Application administrators of a hosted service are responsible for the data and administration of the application and any dependencies. Technology Resources has posted Server Admin Guidelines that all application administrators must follow and details the responsibilities of both parties.
It is not possible for this policy to address every specific issue regarding server management at Texas State that may arise. Server owners and administrators are expected and encouraged to seek guidance from ITAC, which will involve other components of the IT division as necessary to meet these responsibilities.
Exceptions to this policy require collaboration with Technology Resources and the Information Security Office, as well as the express permission from the associate vice president for Technology Resources or a designee.
PROCEDURES FOR RESPONSE TO THREATS AND POLICY VIOLATIONS
Texas State’s Information Security team employs a variety of techniques and technologies, including regular network vulnerability scans and penetration tests, to identify potential risks to campus information resources and to monitor compliance with this policy. Information Security will notify the registered server administrator of any protection deficiencies discovered in the course of these activities and recommend options for eliminating the deficiencies. If the deficiencies are not corrected or the server remains out of compliance for three or more calendar days following notification, Information Security may, with the concurrence of the Information Security officer or the associate vice president for Technology Resources, disable the server’s connection to the university network until the deficiency is remedied.
In emergency circumstances, Information Security will attempt to notify the server owner or administrator whenever it determines that a server has become an imminent threat to university information resources, such as when a server’s integrity is compromised, when it places other network users at risk, or when its defenses against compromise are seriously inadequate for the purpose it serves. If Technology Resources or Information Security cannot contact the server administrator or the administrator does not respond in a timely manner, Information Security may isolate the offending server from the network until the risk is mitigated. If the threat results in the inappropriate disclosure of sensitive or restricted and confidential information, Information Security will initiate the incident management procedures in UPPS No. 04.01.10, Information Security Incident Management.
REVIEWERS OF THIS UPPS
Reviewers of this UPPS include the following:
Position Date Associate Vice President for Technology Resources June 1 E3Y Chief Information Security Officer June 1 E3Y Director, Core Systems June 1 E3Y
This UPPS has been approved by the following individuals in their official capacities and represents Texas State policy and procedure from the date of this document until superseded.
Associate Vice President for Technology Resources; senior reviewer of this UPPS
Vice President for Information Technology