1.0 Purpose and Scope
The purpose of this policy is to establish standards for the base configuration of server equipment that is owned and/or operated by GHSU. Effective implementation of this policy will minimize unauthorized access to GHSU proprietary information and technology.
This policy applies to server equipment owned and/or operated by GHSU and to servers registered under any GHSU-owned internal network domain. This policy is specifically for equipment on the internal GHSU network.
3.1 Ownership and Responsibilities
All internal servers that are currently deployed at GHSU must be managed by an operational group that is accountable for all aspects of server administration.
Servers must be registered with ITSS. Minimally, the following information is required:
- Contact information for systems administrator (individual or group accountable for the server).
- Location of server hardware.
- Hardware and operating system version.
- Main functions and applications.
- Primary users
- Property record number.
All requests for new departmental servers will be evaluated on a case-by-case basis. Approval will be determined by the services necessary to be delivered. If the services are unique and can not be easily supported by ITSS , the purchase and deployment of the server will be approved under the guidelines described within this policy.
All servers will follow standard security configurations approved by the ITSS Security Administration. Server configuration documentation must be established and maintained by the operational group, based on business needs and approved by ITSS Security Administration. Operational groups should monitor configuration compliance and implement an exception policy tailored to their environment. Each operational group must establish a process for changing the configuration guides, which includes review and approval by ITSS Security Administration.
3.2 General Configuration and Administration Requirements
- The most recent security patches must be installed on the system as soon as is practical, the only exception being when immediate application would interfere with business requirements
- Operating systems no longer supported by the vendor must be upgraded or decommissioned.
- All servers must be configured with an ITSS approved vulnerability assessment software.
- Operating System configurations must comply with ITSS approved security policies.
- Services not specifically required must be disabled or removed where practical. Needed services must be secured.
- All ports not required for services offered must be disabled or blocked.
- If a methodology for secure channel connection is technically feasible, privileged access must be performed over secure channels and encrypted network connections using SSH or IPSec. Sensitive information must be accessed over secure channels with no exceptions.
- Access to services must be logged and protected through approved access-control methods. Authentication logs should be retained for 3 months.
- Servers containing sensitive and/or confidential data should export their authentication logs to a central log host (e.g. SYSLOG server).
- Trust relationships between systems are a security risk and may not be used unless no other method of communication will meet system needs. If a trust relationship must be employed, prior approval should be obtained from ITSS Security Administration
- Standard security principles of least privileges required to perform a function should always be used.
- Strong passwords for administrative accounts must be used; where possible rename ADMIN accounts and the number of administrative accounts should be kept to a minimum.
- Root or administrator accounts should not be used when a less privileged account will suffice.
- Servers should be physically located in an environmentally and access-controlled area. Servers are specifically prohibited from operating from uncontrolled cubicle areas.
- Hardware fault tolerance should be employed where mission critical data is stored.
- Backup media should be stored in an access-controlled environment. Backups containing sensitive and/or confidential data should be stored encrypted. There must be a formal test cycle in place for proving successful tape retrieval, critical system restores, and file recovery. Refer to the Electronic Data Backup Policy.
- Anti-virus protection software must be installed and scheduled to scan for and automatically update new signature files weekly.
- Centralized system monitoring should be done regularly.
4.0 Security Events, System Logs, and Audit Trails
All security-related events on critical or sensitive systems must be logged and audit trails saved. These events must be reviewed by the system administrator. A suggested rotation would include:
- All security related logs will be kept online for a minimum of 1 month.
- Daily incremental tape backups of logs will be retained for at least 1 month.
- Weekly full tape backups of logs will be retained for at least 1 month.
- Monthly full tape backups of logs will be retained for a minimum of 2 years at an approved off-site storage facility.
Security-related events will be reported to ITSS Security Administration, who will review logs and report incidents to ITSS management and the Computer Incident Advisory Council. Corrective measures will be prescribed as needed. Security-related events include, but are not limited to:
- Port-scan attacks.
- Evidence of unauthorized access to privileged accounts
- Anomalous occurrences that are not related to specific applications on the host.
- Any malicious attacks which compromise, interrupt, or deface GHSU information systems.
All servers must be properly sanitized in compliance with the GHSU Electronic Data Disposal Policy (http://policy.georgiahealth.edu/2010/09/23/surplus-personal-computerselectronic-property/) before redistribution outside the institution.
ITSS reserves the right to perform audits on all GHSU owned IT devices. Audits will be performed on a regular basis by authorized organizations within GHSU. ITSS Security Administration will filter findings not related to a specific operational group and then present the findings to the appropriate support staff for remediation or justification.
Every effort will be made to prevent audits from causing operational failures or disruptions.
7.0 Related Documents