University of Notre Dame > OIT

Office of Information Technologies

services banner

IT Policies
IT Standards
OIT Policies & Procedures
Copyright Information

>IT Policies Home

security banner

RSS Feed
Subscribe to the OIT Security Alerts RSS Feed

OIT Home > Policies > IT Standards > Server Management Standard

Server Management Baseline Standard

July 2, 2008

1. Background and Rationale

The University Information Security Policy requires controls to manage risks to the confidentiality, integrity and availability of University information. This standard defines controls for the management of servers that handle University information.

2. Access

Access to University information must be authorized in accordance with the University’s Highly Sensitive Information Handling Standard.

The following access control is required for all servers that handle Sensitive or Highly Sensitive information, and is recommended for all other servers:

  • Conduct an account review at least once every six months to verify the business need for all system accounts.

3. Physical Security

The following physical controls are required for all servers that handle Sensitive or Highly Sensitive information. They are optional for all other servers.

  • House servers in a room that is protected by a centrally monitored alarm system that is armed when personnel are not present.
  • Log physical access to rooms that house servers, and retain the logs for a minimum of one year.

The following physical controls are required for all servers that handle Highly Sensitive information. They are recommended for servers that handle Sensitive information.

  • House servers in a room protected by two-factor authentication.
  • Monitor servers by video surveillance, with images retained for a minimum of 3 months.

4. Technical Security

The following technical controls are required for all servers:

  • All administrative access requires authentication and individually assigned user names, and should be exercised using privilege-escalation mechanisms (e.g., “run as” or “sudo”) wherever possible and practical.
  • Do not share passwords for special purpose accounts such as “root” and “administrator,” record them for emergency access, and store them in a locked, monitored location (e.g., the safe in the OIT datacenter).
  • Document accesses to such passwords, and change and re-record them promptly if they are disclosed to anyone other than the originator.
  • Encrypt all network-based administrative access to servers.
  • Do not store, process or transmit University information on any server that does not meet both this standard and the relevant Security Configuration Standards [netID login required].
  • Review access logs monthly for indications of unauthorized access. Report any suspicious events according to the Incident Response Policy.

The following technical controls are required for all servers that handle Sensitive or Highly Sensitive information and recommended for all other servers.

  • All access must use authentication and individually assigned user names.
  • Log all access to information on servers to a separate log server and retain the log for a minimum of one year.
  • Deploy file integrity monitoring software to alert personnel to unauthorized modification of critical system files, and configure the software to perform critical file comparisons daily.
  • Perform vulnerability scans at least monthly, and remediate any identified vulnerabilities within 30 days. Retain scan reports for a minimum of one year.

The following technical control is required for all servers that handle Highly Sensitive information, and is recommended for all servers that handle Sensitive information.

  • Use two-factor authentication for all network-based access by system or application administrators.

5. Administration

The following administrative controls are required for all servers that handle Sensitive or Highly Sensitive information and are recommended for all other servers.

  • Designate qualified system administrator(s) responsible for each server.
  • Complete, maintain and file with the OIT a Run Book for each server.
  • Follow change control procedures for all system and software configuration changes. The procedures must include the following:
    • Documentation of impact
    • Management signoff by appropriate parties
    • Testing of operational functionality
    • Back-out procedures

6. Exceptions

Exceptions to this standard require the approval of the University’s Chief Information Officer.

7. Definitions

Encrypt(ion)
The process of encoding data so that it can only be read using the appropriate key.

File Integrity Monitoring Software
Software that automatically detects files on servers, and provides significant file integrity detail, such as creation and modification dates and the login name of any user who modifies the file.

Highly Sensitive Information
Information intended for very limited use within the University that, if disclosed, could be expected to have a severe adverse effect on the operations, assets, or reputation of the University, or the University's obligations concerning information privacy.

Run Book
A written set of procedures for the routine and exceptional operation of a system or network by an administrator or operator.

Sensitive Information
Information intended for limited use within the University that, if disclosed, could be expected to have a serious adverse effect on the operations, assets, or reputation of the University, or the University's obligations concerning information privacy.

System Administrator
A person who is responsible for managing a multi-user computing environment. Responsibilities typically include installing and configuring system hardware and software, establishing and managing user accounts, upgrading software and backup and recovery tasks.

Two-Factor Authentication
A security process in which the user provides two means of identification, one of which is typically a physical token, such as a card, and the other of which is typically something memorized, such as a security code

University Information
All information that the University of Notre Dame or its agents use in the course of conducting University business, except those materials specifically excluded from University ownership as set forth in the University's Intellectual Property Policy.

Vulnerability Scan
Use of a computer program designed to search for and map systems for weaknesses in an application, computer or network

8. Reference Documents

9. Contacts

Address inquiries about the standard to the OIT's Information Security Office (link) or send e-mail to infosec@nd.edu.

Address inquiries about properly managing privileged OS accounts to the OIT's Operations & Engineering Department.

 
 

Need answers?
Contact the OIT Help Desk at oithelp@nd.edu or 574-631-8111.