Procedure: University of Minnesota Duluth
This procedure describes requirements for server management that apply on the UMD campus.
All server administrators must comply with the University of Minnesota Security Policies and Information Security Standards. UMD Information Technology Systems and Services (ITSS) will provide oversight and assistance for the entire campus. ITSS offers server administration services to the campus. In particular, ITSS strongly recommends using our virtual server infrastructure to improve backup, disaster recovery, and system administration. By contracting with ITSS to provide these services, units pass the responsibility for most aspects of these procedures to ITSS.
In the event that it is impossible for some policy or standard to be implemented, the system administrator must request a risk assessment from University Information Security, who will document the exception. ITSS will ensure that such a risk assessment is completed and will monitor for compliance.
Server Registration, Inventory, and Deregistration
UMD ITSS is responsible for maintaining a list of all campus servers, whether administered by ITSS or not. In order to facilitate the maintenance of this list, all system administrators must register their servers with ITSS. Use our Server Registration, Inventory, and Deregistration process.
Server Security Standards and Processes
Data Security Classification
The first thing a system administrator must do is to review the types of data stored on each server administrated.
Procedures for managing servers will vary depending upon the classification of the data stored on the server. Server administrators must review the Policy on Data Security Classification as well as the accompanying Appendix on Identifying Security Level.
Servers that store private highly-restricted data must be given extra security, and system administrators of such systems must work closely with ITSS to ensure this. Special requirements for such servers are spelled out in the sections below.
Once you have identified the data security classification for your server, you must review and comply with the following standards from the University of Minnesota Security Policies and Information Security Standard.
|Account Provisioning||System administrators must ensure that their systems comply with the Account Provisioning Standard. ITSS will provide an account provisioning procedure that system administrators outside of ITSS are welcome to use. Systems that store private highly-restricted data must use the ITSS procedures.|
|Authentication||All servers must comply with the Authentication Standards, a set of procedures associated with the Information Security policy.|
System administrators are strongly encouraged to use centralized Identity Management Services whenever possible. At present the University supports a number of Authentication Services, including Shibboleth, Duo Two Factor Authentication, LDAP Authentication, and Eduroam.
|Backups||Servers must be backed up according to the Backup & Recovery of Data and/or Backup & Recovery of Software and System Configuration.|
ITSS will provide backup at no charge for servers that we manage. Administrators who manage their own servers may contract with ITSS for backup services on a billable basis. Administrators of servers that store private highly-restricted data must partner with ITSS to ensure compliance.
|Change Control||Server admins must comply with the Change Control Standard and Process.|
ITSS has developed a set of change processes and a UMD Change Approval Board (CAB) in which system administrators outside ITSS are welcome to participate. Administrators for servers that store private highly-restricted data must participate in the UMD Change Approval Board processes.
|Firewalls||Servers must employ device firewalls and in some instances network firewalls that meet the device firewalls and network firewall standards.|
ITSS will provide specialized network firewalls for servers that store private highly-restricted data or for other servers based on need.
|Log Management||System administrators are responsible for ensuring that all servers under their control comply with the Log Management Standard. ITSS has a secure logging server where your logs may be stored upon request.|
Servers that store private highly-restricted data, particularly data covered by Payment Card Industry-Data Security Standard (PCI-DSS), must be registered to use the University Information Security log monitoring service. ITSS can help facilitate this.
|Media Sanitization||Server storage must follow the Media Sanitization Standard before it can be recycled, sold, returned to the vendor, or leave the campus. ITSS can securely sanitize and dispose of server storage for UMD units. Server storage that holds private highly-restricted data must be disposed of through ITSS for auditing and tracking purposes.|
|Operating System Access Control||Servers must be configured to meet the Operating System Access Control Standard. Servers provided by ITSS meet this standard. Servers that store private highly-restricted data must partner with ITSS to ensure compliance.|
|Data Center / Physical Security for Servers||Servers must be in an appropriate and secure physical facility. ITSS will provide housing for servers in the ITSS Data Center. Servers that store private highly-restricted data must be located in a secure physical facility managed by ITSS.|
Remote access to managed servers must be completed using secure VPN
|Security Patching||All servers must be patched to meet the Security Patching Standard.|
|Technical Vulnerability Management||All servers must comply with the Technical Vulnerability Management Standard. This standard includes the requirement that servers be scanned for vulnerabilities.|
ITSS manages the server scanning process for the campus. In order for us to do this effectively, it is imperative that servers be registered as described in the previous section, especially servers that store private highly-restricted data. Servers covered by Payment Card Industry-Data Security Standard (PCI-DSS) must be scanned by an external scan vendor as well. ITSS will help facilitate this.
|Virus/Malware Protection||All servers must comply with the Virus/Malware Protection Standard by ensuring that anti-virus software is installed and running. Servers that store private highly-restricted data must have anti-virus logs managed as well.|
- Effective: May 20, 2014