Policy on Networked Server Management
The purpose of this policy is to describe controls that should be in place
to protect data and equipment. Private data is most important to protect, and
servers storing private data should comply with this policy. For servers storing
public information that is easy to recover, these controls may be viewed as
guidelines rather than requirements.
For more information on what constitutes private data, and for information
about how to secure desktop computers that access private data, see the University
of Minnesota Standard
on Securing Private Data. For more details on configuring networked servers,
see the University of Minnesota Server
Accounts and Passwords
- Accounts on a system should match the business need. Only those who have
a business need should have access.
- Accounts should be closed as soon as access is no longer required, such
as when an employee changes jobs or leaves the University.
- Accounts should be reviewed yearly to ensure that only those who have a
business need for access have accounts.
- Systems should require that each account have a password. Systems should
passwords whenever possible.
- Systems should be configured to deny access to an account after multiple
unsuccessful login attempts.
- Passwords should be changed annually at a minimum.
Server Registration and Scanning
- UMD critical
servers must be registered with ITSS and with OIT. Other servers may
be registered as well if desired.
- Registered servers will be scanned regularly for security vulnerabililities.
- Servers must have a system administrator who can be contacted in the event
of a problem.
- Server logs should be maintained and reviewed regularly to look for, and
respond to, inappropriate intrusion attempts.
- Server operating systems should be kept fully patched and up-to-date.
- Servers should have appropriate virus detection software installed and
- Security alerts should be monitored, and relevant alerts should result
in appropriate action by the system administrator.
Special Protection for Critical Private Data
- Servers storing protected health information associated with HIPAA must
have very tight security. System administrators for such servers must be
familiar with the University's Privacy
and Security Project and must comply with related server security requirements.
- Servers storing financial data, especially credit card information, must
have very tight security. Credit card processing must comply with the VISA
(PCI DSS) security guidelines. ITSS will provide assistance to units who
need to accept credit card data and will require the University's vendor
for credit card processing.
- Student records, personnel records, and all other private information stored
on servers must be kept very secure. Social Security Numbers require exceptional
security, and it is preferable that they not be stored on local servers at
all. For additional resources, see Understanding & Identifying
Private and Public Information.
- Servers should be located in data centers that are kept locked at all times.
- Data centers should have walls that extend through dropped ceilings and/or
below raised floors.
- Access to data centers should be limited to those individuals with a business
need to access the data center equipment.
- Data centers should be equipped with automated fire detection and fire
- Data centers should be equipped with uninterruptable power supplies that
trigger system shut-down before power runs out. Critical systems should be
tied to back-up power provided by generators.
Backups and Disaster Recovery
- Servers must be covered by a disaster recovery plan, which is tested and
- Data stored on servers should be backed up regularly. The backup schedule
can depend upon the degree to which data stored on the server changes. Backup
files should be stored far enough from the server itself that they will not
be destroyed in the event the server is destroyed.
- Data should be retained and archived as needed for system audit trails.
- System administrators should schedule a regular process for demonstrating
that a system can be rebuilt, and data recovered, in the event of a failure.
Data owners should be involved in the testing of the recovery process. This
should be done annually at a minimum.
Change Control Procedures
- Critical servers and applications should be modified using change control
procedures that ensure only authorized and tested program changes are moved
- Critical servers and applications should have separate development, test,
and production environments.
- Business-critical software should be protected in the event of a vendor
going out of business with a software escrow agreement. Such an agreement
would provide the University with access to the source code in case of a
business failure on the part of the vendor.
- Software purchased through the University Purchasing Office will include
the Software License
Agreement. Section 24 of this agreement is about software escrow.
- Departments purchasing without using the Software
License Agreement should consider requesting an escrow agreement for
business-critical software or be prepared to assume the risk should the
vendor have a business failure.