University of Minnesota Duluth
 
 
Search | People | Departments
Information Technology Systems and Services.
ITSS home

Procedures for UMD Server Management - DRAFT

The purpose of these procedures is to describe special requirements for server management that apply on the UMD campus.

All server administrators must comply with the University of Minnesota Security Policies and Information Security Standards. UMD Information Technology Systems and Services (ITSS) will provide oversight and assistance for the entire campus.

In the event that it is impossible for some policy or standard to be implemented, the system administrator must request a risk assessment from University Information Security, who will document the exception.

Data Security Classification

Procedures for managing servers will vary depending upon the classification of the data stored on the server. Server administrators should review the Policy on Data Security Classification as well as the accompanying Appendix on Identifying Security Level.

Servers that store private highly-restricted data must be given extra security, and system administrators of such systems must work closely with ITSS to ensure this. Special requirements for such servers are spelled out in the sections below.

Account Provisioning

System administrators must ensure that their systems comply with the Account Provisioning Standard. ITSS will provide an account provisioning procedure that system administrators outside of ITSS are welcome to use. Systems that store private highly-restricted data must use the ITSS procedures.

Authentication

All servers must comply with the authentication requirements outlined in Basic Security for Computers and Other Electronic Devices, a set of procedures associated with the Policy on Securing Private Data, Computers, and Other Electronic Devices.

Firewalls

Servers must employ both device and network firewalls. The Office of Information Technology provides some network firewalls that protect the UMD network. ITSS will provide specialized network firewalls for servers that store private highly-restricted data or for other servers upon request.

Log Management

System administrators are responsible for ensuring that all servers under their control comply with the Log Management Standard. ITSS has a secure logging server where your logs may be stored upon request.

Servers that store private highly-restricted data, particularly data covered by Payment Card Industry-Data Security Standard (PCI-DSS), must be registered to use the University Information Security log monitoring service. ITSS can help facilitate this.

Media Sanitization

Server storage must follow the Media Sanitization Standard before it can be recycled, sold, returned to the vendor, or leave the campus. See also the Secure Data Deletion and Secure Disposal of Equipment section of Advanced Security for Computers and Other Electronic Devices, a set of procedures associated with the Policy on Securing Private Data, Computers, and Other Electronic Devices.

ITSS can sanitize and dispose of server storage for UMD units. Server storage that holds private highly-restricted data must be disposed of through ITSS.

Operating System Access Control

Servers must be configured to meet the Operating System Access Control Standard. ITSS will provide an operating system access control procedure that system administrators outside of ITSS are welcome to use. Servers that store private highly-restricted data must use the ITSS procedures.

Physical Security for Servers

Servers must be in an appropriate and secure physical facility. ITSS will provide housing for servers in the ITSS data center or in a secure server room. Servers that store private highly-restricted data must be located in a secure physical facility managed by ITSS.

Server Change Control

Servers must comply with the Change Control for Software Development and System Implementation section of Advanced Security for Computers and Other Electronic Devices, a set of procedures associated with the Policy on Securing Private Data, Computers, and Other Electronic Devices.

Server Configuration

All servers must comply with the Server Configuration requirements outlined in Advanced Security for Computers and Other Electronic Devices, a set of procedures associated with the Policy on Securing Private Data, Computers, and Other Electronic Devices. ITSS offers server administration services to the campus. In particular, ITSS strongly recommends using our virtual server infrastructure to improve backup, disaster recovery, and system administration. By contracting with ITSS to provide these services, units pass the responsibility for most aspects of these procedures to ITSS.

 

======

Server Registration and Scanning

 

Backups and Disaster Recovery

 

Software Escrow

 

Resources

Securing Private Data, Computers, and Other Electronic Devices

Data Security Classification

Identifying Security Level

Security Policies

Information Security Standards

 

 

 


© 2014 University of Minnesota Duluth
The University of Minnesota is an equal opportunity educator and employer.
Last modified on 04/21/14 04:38 PM
University of Minnesota Campuses
Crookston | Duluth | Morris
Rochester | Twin Cities | Other Locations